What is authorisation?
Authorisation defines the roles and permissions of users. Users belong to groups in Azure Active Directory or student management systems, which are mapped to authorisation groups. Groups are then assigned to roles with permissions.
Authentication and authorisation
The authentication of users is managed in Azure Active Directory or a student management system, such as SITS:Vision. Users belong to groups in Azure Active Directory or a student management system, which are mapped to authorisation groups. Groups are then assigned to roles, which have permissions. Therefore, users log in with their user name and password defined in Azure Active Directory or a student management system and have the permissions defined by the roles that their group is assigned to in authorisation.
The image Authentication and authorisation shows how users in Azure Active Directory or a student management system are granted permissions.
Authorisation
Authorisations areas have roles with permissions. Authorisation areas can have child areas. Child areas inherit the roles and permissions of parent areas.
Authorisation areas
Roles and permissions are organised in authorisation areas as follows:
-
Products, such as Admissions, Data Engine, Engage, and so on.
-
Features, such as Communications, Reference data, Workflow, and so on.
-
Web apps for permissions to use applications such as Applications, Data Engine, Admissions settings, and System admin
-
Integrations with products and features, such as Admissions integration, Reference data integration, and SITS integration.
The diagram Authorisation areas shows a group of applications managers assigned to the following:
-
Assigned to role Applications Manager in the Admissions area Applications
-
Assigned to the role Application user in the Web apps area Applications so that the users can access the Applications app.
Roles
Authorisation area have roles with permissions as follows:
- Edge administrator
- The Edge administrator role has all permissions in every area and every web app.
-
Attention.New deployments only have the group EdgeAdministrator. Therefore, groups of administrators in Azure Active Directory or a student management system must be mapped to the group EdgeAdministrator to be able to log in and set up the groups, roles, and permissions.
- Predefined roles
- Authorisation areas have roles with permissions suitable for the role. For example, application viewers can only view applications. Predefined cannot be deleted or permissions already granted to the role removed. However, additional permissions can be granted to predefined roles. For example, some of the permissions granted to Applications managers can be granted to Applications officers.
- Custom roles
- Custom roles can be added to authorisation areas, such as when a predefined role does not meet the requirements of your institution. Custom roles can be granted any of the permissions in the authorisation area.
Inheritance
Authorisation areas may have several child areas. Child areas inherit the roles and permissions of parent areas. Inherited roles and permissions cannot be changed. However, additional permissions can be granted. For example, an applications officer has permissions at all desks defined in the Desk access authorisation area, but is granted additional permissions at a specific desk.
Authorisation overview