If you have enabled Delegated Administration (DA) for your institution, you must assign administrators explicit access to one or more organizations or departments in order for those users to administer those segments of the system.
There are two aspects to delegating administrator access in the system:
- Giving explicit access to new administrators added to the system
- Removing institution-level access from existing administrators and providing lower-level organization/departmental access
All admins in the system when DA is enabled automatically have institution-level administrative access. All NEW users added as administrators after DA is enabled have no organization access and must have it explicitly assigned.
Enabling access for a higher level automatically enables access to all levels below it. To enable rights for some departments but not others in an organization, you must uncheck the user for the organization first, then enable the user for the individual departments. See Inherited vs. explicitly set permissions below.
Neither Rooms nor Users are subject to the organizational hierarchy These objects are visible and can be administered by all users with an admin role in the system.The only exception is that delegated administrators can only assign other delegated admins within the orgs or depts to which they already have access.
The following procedure assumes you are an institution-level administrator and that you have already enabled Delegated Administration and created one or more organizations or departments.
In addition, you cannot assign or change your OWN rights; you can only do so for other admins. You will NEVER see your own name in the list of Administrators.
To assign delegated administrator access:
- Log in as an administrator and click the Settings icon in the top right corner (it looks like a gear).
- Select Institution Settings.
The Institution and all organizations and departments are listed on the left, with settings and options tabs shown on the right. The Institution node is selected by default.
- Click the Administrators tab that appears on the right side of the page.
All admins listed with a check in this list are institution-level administrators.
- If you want to assign institution-level access for an administrator, ensure the Institution is selected on the left, and check a box for that user in the Administrators list on the right, as shown in the below figure.
- If you want to remove institution-level access for an administrator, ensure the Institution is selected on the left and uncheck the box for that user in the Administrators list on the right.
- To assign delegated access only for a user, use the list on the left to navigate to and select the Department or Organization node to which the user should have administrative rights.
- Click the Administrators list on the right for the selected Dept or Org.
All admins listed with a check in this list are organization or department-level administrators, depending on the node you have selected from the left.
- Find the user you want (using the Search box if necessary).
- Click or remove a check in the box for that user, to assign or revoke administrative access to this organization or department as appropriate, as shown in the below figure.
As a point to note with the above figure, Bertha and George did not have checkmarks at the Institution level, but do have them at the Organizational level; this provides them with delegated access to this organization and the departments within it. The grayed-out checkboxes indicate these admins inherit access to this organization due to their institution-level access. The first admin listed (Admin McAdmin) has a blue check because he has been given explicit rights to this organization. This means that unlike for the other admins, if the institution-level checkbox is cleared for this admin, he will still be able to manage this organization, unless this box is also explicitly cleared at the organization level. See the below section for further details.
- Repeat from Step 6 above to assign/remove access from a different Dept/Org.
The selected user now has administrative rights for the objects (courses, sections, schedules, and captures) located in the checked hierarchical level(s), and in all Depts within the selected Org if applicable.
REMEMBER: Enabling access for an organization automatically enables access to all departments within it. To enable rights for some departments but not others in the organization, you must uncheck the user for the organization first, then enable the user for the individual departments. In addition, removing a check from the organization level may not automatically remove permissions from the departments within it, if they were ever explicitly set. See Inherited vs. explicitly set permissions below.
Inherited vs. explicitly set permissions
Understand that permissions are given from the top down, but not necessarily removed from the top down, once explicitly set at lower levels. The system assumes that if you have higher level administrative permissions, you can automatically administer all items below that in the hierarchy. Lower levels inherit access from upper levels.
The first time you configure administrative access, removing upper-level permissions automatically clears all lower level permissions for that user. But this is only true until you explicitly set admin access at a lower level. Once that is done, that node will inherit access but it will NOT inherit restriction or non-access (checkbox clearing) from the upper level. At this point, clearing the checkbox at the upper level only removes the check (access) for lower nodes that were never explicitly set. Once explicitly set at a lower level node, administrative privileges must also be explicitly removed from the lower level node, if and when that is desired.
Basically, here is how it works:
- Any admin who has permission (box is checked) at the Institution level can see and administer all items in the system. All Admins have institution-level permissions by default.
- In order to limit access for an admin to an Org/Dept, you must disable (uncheck) admin access at the institution level first. The first time this is done for a user, this action CLEARS all permissions for all Organizations and Departments.
- You must enable (check) the user for admin access to the appropriate Organization or Department node(s). You have now explicitly enabled admin access to that node.
- If you enable admin access to an organization, that user can administer all items for the organization as well as for all departments within that organization.
- If you must delegate administrative rights to a user for multiple (but not all) departments within an organization, the user must be unchecked at the organization level, then checked for each department separately.
- If you ever need to revoke organization or department permissions, you must explicitly uncheck the user for the appropriate node(s). You cannot remove or "reset" explicitly set lower level permissions by checking-then-unchecking the higher level node. Any lower levels that were not checked before, retain the inherited setting; those that were explicitly checked must be explicitly unchecked.
- There is no way to delegate permissions for objects that reside in an organization only (no department) without also giving permissions to all departments within that organization. If this type of permission is needed, you must create a separate department to contain all of those objects, then give administration rights to that department.
IMPORTANT: If you have objects in the system that are not assigned to an organization or department, only administrators with Institution-level admin permissions will have access to those objects. You may need to assign or re-assign items within your system accordingly.