Purpose of user groups
Creating user groups is useful since this simplifies the management of roles and rights, especially with a large number of users. For example, an entire group can be granted the role of the Log Auditor, whereby all members of this group (users which have been added to this group) automatically become Log Auditors.
Additionally, a group can be granted access rights to individual Data Rooms so that all members of this group can access select Data Rooms with clearly defined rights. By doing so, these rights and roles don’t have to be individually assigned to certain users. Instead, these rights and roles are defined once for a group which is then assigned corresponding members.
Of course, individual users within the user management can still be granted additional roles and rights of Data Rooms. This individual allocation of roles and rights will be in addition to those, that result from group membership.
Showing user group overview
To show the user group overview in DRACOON, first click Users & Groups in the Toolbox and then Groups.
The user group overview is only available if you are in the role of the user manager (see “issued roles” below).
Creating a group
To create a new group, click “Add user group” in the user group overview:
Creating a new group occurs in a three-step process which is portrayed in three corresponding tabs:
- Entering group information and distributing administrative roles, if necessary.
- Determining group members, if necessary
- Granting the group access to specific data rooms (provided that you are Data Room Admin)
Enter the group’s name here.
You can enter an expiry date for the group here. After the expiry date, the group will automatically and permanently be deleted from the system and cannot be restored. However, the files which the user saved in DRACOON are not affected and are preserved in the system. The assignment of members to groups (group memberships) as well as the corresponding access rights to Data Rooms will also be removed.
In this field, you can assign one or more of the 5 administrative Data Space roles to the group. All members of the group will automatically receive the assigned roles.
A description of the individual roles can be found in the User Management article.
New in Version 4: The option to assign roles to groups is a new feature in Version 4. Before, it was only possible to assign roles to individual users.
In this tab, you can assign members to a group.
To add members, select the users that are to become group members in the left column. If there is a large number of users in the system, you can enter a user name in the search field to quickly find and add them. The selected users will be listed in the blue column on the right side and will have a check mark added to their user name in the left column.
You can remove a user from a group by clicking the X to the right of the user name in the right column (by doing so, the user is only removed from the group, not from DRACOON).
Adding a user to a user group as a Group Manager doesn’t guarantee that this new user will immediately be allowed to access the Data Rooms which have been authorized for the given group. DRACOON’s security concept is designed in such a way that only the Data Room Admins can control and grant access to their Data Rooms. A Data Room Admin can determine that they be notified when new users are admitted to a group that would obtain access to the Data Rooms due to the group access rights. The Data Room Admin has the final say and can reject the new user so that even though they are a member of the group, they cannot access the group’s Data Rooms.
Alternative: A user’s group memberships can also be managed in the User Administration. This can be useful if you want to add a new user and directly assign them to one or more groups. These group assignments can be directly managed in the dialogue box when adding a new user in the tab Group memberships.
Data room permissions
This tab allows you to grant a group access rights to Data Rooms. By doing so, all members of the group are able to access a given Data Room with clearly defined rights. To do so, select the Data Room on the left-hand side to which a group is to be given access to. After selecting the Data Room, select the rights that are to be given to the group in this Data Room on the right-hand side.
- You can only distribute access rights for Data Rooms of which you are a Data Room Admin.
- If a group has access to a Data Room, it does not automatically have access to the Data Room’s subordinate Data Rooms. The access rights to subordinate Data Rooms must be granted separately. (However, a Data Room Admin of a subordinate Data Room can select in the Data Room administration that the subordinate Data Room automatically “inherits” the superordinate Data Room’s access rights. By doing so, access rights to subordinate Data Rooms do not have to be defined separately but are transferred automatically from the superordinate Data Room and thereby also apply to the subordinate Data Room.)
- Group rights apply in addition to user rights. If a specific user has been granted certain rights to Data Rooms (e.g. in user administration), these rights apply in addition to those that they have received through group memberships.
- New in Version 4: User groups can now also be granted access rights to encrypted Data Rooms (Data Rooms that are encrypted through TriplyCrypt® Technology).
Editing a group
When in the user group overview, you can retroactively edit the expiry date, distributed roles, and access rights to Data Rooms of individual user groups.
Deleting a group
In addition to editing a group, you can delete user groups when in the user group overview. By doing so, the group is permanently removed from the system and cannot be recovered. All user assignments to the group (i.e. group memberships), as well as the corresponding Data Room access rights, are also removed (the users themselves are not removed from the Data Space).