05 February 2024

What is authorisation?

Authorisation defines the roles and permissions of users. Users belong to groups in Azure Active Directory or student management systems, which are mapped to authorisation groups. Groups are then assigned to roles with permissions.

Authentication and authorisation

The authentication of users is managed in Azure Active Directory or a student management system, such as SITS:Vision. Users belong to groups in Azure Active Directory or a student management system, which are mapped to authorisation groups. Groups are then assigned to roles, which have permissions. Therefore, users log in with their user name and password defined in Azure Active Directory or a student management system and have the permissions defined by the roles that their group is assigned to in authorisation.

The authentication method is defined when completing the document Tribal Edge Core Branding & Pre-Requisite Template, which is available on Tribal Communities.

The image Authentication and authorisation shows how users in Azure Active Directory or a student management system are granted permissions.

Authentication and authorisation
Image showing the users and groups in a student management system or azure active directory and groups, roles, and permissions in Edge

Authorisation

Authorisations areas have roles with permissions. Authorisation areas can have child areas. Child areas inherit the roles and permissions of parent areas.

Authorisation areas

Roles and permissions are organised in authorisation areas as follows:

  • Products, such as Admissions, Data Engine, Engage, and so on.

  • Features, such as Communications, Reference data, Workflow, and so on.

  • Web apps for permissions to use applications such as Applications, Data Engine, Admissions settings, and System admin

  • Integrations with products and features, such as Admissions integration, Reference data integration, and SITS integration.

The diagram Authorisation areas shows a group of applications managers assigned to the following:

  • Assigned to role Applications Manager in the Admissions area Applications

  • Assigned to the role Application user in the Web apps area Applications so that the users can access the Applications app.

Authorisation areas
Diagram showing how permissinos are assigned to roles

Roles

Authorisation area have roles with permissions as follows:

Edge administrator
The Edge administrator role has all permissions in every area and every web app.
New deployments only have the group EdgeAdministrator. Therefore, groups of administrators in Azure Active Directory or a student management system must be mapped to the group EdgeAdministrator to be able to log in and set up the groups, roles, and permissions.
Predefined roles
Authorisation areas have roles with permissions suitable for the role. For example, application viewers can only view applications. Predefined cannot be deleted or permissions already granted to the role removed. However, additional permissions can be granted to predefined roles. For example, some of the permissions granted to Applications managers can be granted to Applications officers.
Custom roles
Custom roles can be added to authorisation areas, such as when a predefined role does not meet the requirements of your institution. Custom roles can be granted any of the permissions in the authorisation area.

Inheritance

Authorisation areas may have several child areas. Child areas inherit the roles and permissions of parent areas. Inherited roles and permissions cannot be changed. However, additional permissions can be granted. For example, an applications officer has permissions at all desks defined in the Desk access authorisation area, but is granted additional permissions at a specific desk.

Authorisation overview

The video Authorisation overview describes the authorisation areas, roles, permissions, and custom roles.

Authorisation overview