04 June 2024

What is authorisation?

Authorisation defines the roles and permissions of users. Users belong to groups in Azure Active Directory or student management systems, which are mapped to authorisation groups. Groups are then assigned to roles with permissions.

Authentication and authorisation

The authentication of users is managed in Azure Active Directory or a student management system, such as SITS:Vision. Users belong to groups in Azure Active Directory or a student management system, which are mapped to authorisation groups. Groups are then assigned to roles, which have permissions. Therefore, users log in with their user name and password defined in Azure Active Directory or a student management system and have the permissions defined by the roles that their group is assigned to in authorisation.

The authentication method is defined when completing the document Tribal Edge Core Branding & Pre-Requisite Template, which is available on Tribal Communities.

The image Authentication and authorisation shows how users in Azure Active Directory or a student management system are granted permissions.

Authentication and authorisation
Image showing the users and groups in a student management system or azure active directory and groups, roles, and permissions

Authorisation

Authorisations areas have roles with permissions. Authorisation areas can have child areas. Child areas inherit the roles and permissions of parent areas.

Authorisation areas

Roles and permissions are organised in authorisation areas as follows:

  • Products, such as Admissions, Data Engine, Engage, Submissions, and so on.

  • Features, such as Communications, Reference data, Workflow, and so on.

  • Web apps for permissions to use applications such as Applications, Data Engine, Admissions settings, Submissions, and System admin

  • Integrations with products and features, such as Admissions integration, Reference data integration, and SITS integration.

The diagram Authorisation areas shows a group of applications managers assigned to the following:

  • Assigned to role Applications Manager in the Admissions area Applications

  • Assigned to the role Application user in the Web apps area Applications so that the users can access the Applications app.

Authorisation areas
Diagram showing how permissinos are assigned to roles

Roles

Authorisation area have roles with permissions as follows:

Edge administrator
The Edge administrator role has all permissions in every area and every web app.
Attention.New deployments only have the group EdgeAdministrator. Therefore, groups of administrators in Azure Active Directory or a student management system must be mapped to the group EdgeAdministrator to be able to log in and set up the groups, roles, and permissions.
Predefined roles
Authorisation areas have roles with permissions suitable for the role. For example, application viewers can only view applications. Predefined cannot be deleted or permissions already granted to the role removed. However, additional permissions can be granted to predefined roles. For example, some of the permissions granted to Applications managers can be granted to Applications officers.
Custom roles
Custom roles can be added to authorisation areas, such as when a predefined role does not meet the requirements of your institution. Custom roles can be granted any of the permissions in the authorisation area. System administrators to create system-wide, global, roles and role assignments. That is, the role is added to all the authorisation areas and the permissions defined as required.

Inheritance

Authorisation areas may have several child areas. Child areas inherit the roles and permissions of parent areas. Inherited roles and permissions cannot be changed. However, additional permissions can be granted. For example, an applications officer has permissions at all desks defined in the Desk access authorisation area, but is granted additional permissions at a specific desk.

Show required permissions

Users can share pages, such as by sending a copy of the URL. However, this may result in some users being denied access as they don't have the required permissions to view the pages.

However, instead of showing the access is denied page, you can choose to display the permissions required to view a page for groups of users, such as applications managers. Therefore, when contacting the system administrator, users can simply state which permissions are required. For users to view the required permissions, they must have the Admin area permission Show required permissions. Note that required permissions are also shown in Power Automate flow responses.

The table Show required permissions shows how users are informed of the permissions needed to view a page when they have the permission Show required permissions.

Show required permissions
Accessed denied Show required permissions
Access is denied

You don't have permissions to view this page.

Request access from your system administrator.

Go to gateway page

Access is denied

You don't have permissions to view this page.

Area: Data Engine > Management

Permission name: Control Data Engine

Request access from your system administrator.

Go to gateway page

Authorisation overview

The video Authorisation overview describes the authorisation areas, roles, permissions, and custom roles.

Authorisation overview