Manage Groups, Permissions, and Global Roles

A Group is a collection of users with similar roles in an organization, and a collection of users who need to perform similar tasks on the Evolve site.

User Permissions are controlled through Groups. To assign permissions to users, add them to a group and assign permissions to the group as a whole.

Each group has a set of capabilities associated with it. These capabilities include creating, reviewing, and running files. Evolve includes a set of predefined groups for you to start with. You can modify these predefined groups according to the way you want to manage library and solution permissions. As an administrator, you can create any number of groups, and you can define group permissions according to your specific requirements.

With the exception of predefined global roles for administration (see administration-related pre-defined Global Roles), predefined and customized user groups are app-specific.

You can control library permissions through groups (see Manage Library Permissions). By default, solutions inherit permissions from the associated library. You can customize (edit) inherited library permissions.

Manage groups

You can perform the following on the Manage Groups tab:

View groups

To view existing groups:

  1. Click the Apps menu. Go to the app for which you would like to view groups and click the icon in the Actions column.
  2. Click Configurations.
  3. Click on the Manage Groups tab to see the following:
    • Group Name
    • Description
    • Users (includes the number of users in the group)

Create a new group

Note:

The default (“predefined”) groups exist in all apps. Group details (such as which users belong to a group) are not included in all apps.

You can create new groups for your apps.

To create a new group:

  1. Click the Apps menu. Go to the app for which you would like to create a new group and click the icon in the Actions column.
  2. Click Configurations. Then click the Manage Groups tab.
  3. Click Add. Enter the group name and description and click Save. You will be notified that the group was added and the new group will be listed on the Manage Groups tab for that app.

Edit a group

You can change ("edit") the group name and description. To edit a group:

  1. Click the Apps menu. Go to the app for which you would like to edit the group and click the icon in the Actions column.
  2. Click Configurations, and click the Manage Groups tab.
  3. Select a group and click Edit.
  4. Change the group name or description and click Save.
  5. Changes update immediately and can be viewed on the Manage Groups tab. If the updates do not show, refresh the page.

Add users to a group

To add users to a group:

  1. Click the Apps menu. Go to the app for which you would like to add users to a group and click the icon in the Actions column.
  2. Click Configurations and then click the Manage Groups tab.
  3. Click on the number in the Users column which corresponds to the group.
  4. The Assign Users window will appear.
  5. To add a user, select a name from the User field and click Add. The name will appear in Assigned Users window. Changes update immediately and can be viewed on the Manage Groups tab. If updates do not show, refresh the page.
    Further Information:

    • Users receive an email notification when they have been added to a group.

    • Groups and group permissions are specific to each app. For example, users in a Solution Reviewer group in App 1 will not automatically be in a Solution Reviewer group in App 2; they must be added to these two groups independently.

    • When a user is added to a group, all permissions associated with that group are automatically assigned to that user.

Remove users from a group

To remove users from a group:

  1. Click the Apps menu. Go to the app for which you would like to remove users from a group and click the icon in the Actions column.
  2. Click Configurations and click the Manage Groups tab.
  3. Click the number in the Users column which corresponds to the group.
  4. The Assign Users window will appear.
  5. To remove a user, hover over the user’s name under the Assigned User window and click the delete icon. When prompted to confirm the deletion, click Yes. (To search for users in the group, you can opt to use the Search Users box.) Changes update immediately and can be viewed on the Manage Groups tab. If updates do not show, refresh the page.
    furtherinformation: Further Information:

    • Users receive an email notification when they have been added to a group.

    • Groups and users within a group are specific to each app. For example, users deleted from a Solution Reviewer group in App 1 must be separately deleted from a Solution Reviewer group in App 2.

    • When users are removed from a group, they no longer have the permissions associated with that group.

Predefined user groups for apps

As an App Administrator, you can see the predefined user groups below.

Group

Description

Originator

Users in this group can launch new processes.

Data Reviewer

Users in this group can review processes.

Solution Reviewer

Users in this group can review solutions.

Solution Developer

Users in this group can create new solutions.

Manage permissions and roles with AD Groups

Note:

  • The AD Sync feature is supported with Windows, SAML and OAuth authentication.

  • AD Groups with 300 or more users, jobs run in the background (Background mode). For AD Groups with less than 300 users, jobs run in the foreground.

  • If user count in an AD Group is 300 or more, a warning message is displayed.

  • To make sure the Application users are in sync with AD, AD Sync job should run daily and in off business hours.

  • Scheduling AD Sync job weekly or at the weekend is not recommended, as this will cause security concerns. For example, a user is deleted from AD but Evolve application access will be revoked after 7 days.

AD Groups: App Roles Sync

An Admin can manage all App Group's assignments to users with an AD Group. Users will have these App Groups assigned automatically if their AD Groups are added to these App Groups.

AD Group: App Roles Sync - Details
The application allows App Admins / Global Admins to set one or multiple AD Groups for an “App Group”.
Same AD Group can also be added in other Groups of same App.
User must exist in Evolve application only then the App’s Group will be assigned. Note: Managing App role from AD Group will not add user automatically if a user does not exist. Therefore, a user will be added only if any of its AD Group is mapped with Licensing module.
Any App’s Group added/assigned manually to a user by App-admin will not be removed by AD Group sync feature.
App admin can remove a user from any App’s Group (Added manually or by AD Group sync feature) manually. This App Group will be added to this user again by AD-Group Sync feature (Sync Job or Manually Sync) if user’s AD Group still mapped in App’s Group. Therefore, it is recommended to remove the user from AD Groups too.
Adding an AD Group to an App Group: Will add all the users of the AD Group to this App’s Group (Also these users must already exists in application, it won’t add new user in application like license sync).
Remove an AD Group from an App Group: This will remove all users of this AD Group from current App Group. Note: As multiple AD Group can be added to an App Group, so a user may exist in another AD Groups of current App Group, for such cases these users will remain added to App Group.
A user can refresh\sync its Licenses and App Groups from pages “My licenses” or ““My roles”. Refresh\sync request from any page will always sync both License and App Groups.
Remove or Add users to AD Groups: These changes will be applied either by Sync Job or User manual sync action only.
Note:

Users receive a notification for any change or update completed through AD Sync.

Add AD Groups for App Roles Sync

To add an AD Group for App Roles sync:

  1. Go to the Configuration page of the App for which you want to add an AD Group.
  2. On the Manage Groups tab, select the app group for which you want to add the AD Group by clicking the number in the AD Group column.
  3. In the panel that opens, provide the AD Group name and domain. You can also use the Lookup AD Group option to search for AD Groups.
  4. Once the group is located and added, click Add. You will receive a confirmation message that the group has been added successfully.

Remove AD Groups for App Roles Sync

To remove an AD Group for App Roles sync:

  1. Go to the Configuration page of the App for which you want to remove the AD Group.
  2. On the Manage Groups tab, select the app group for which you want to remove the AD Group by clicking the number in the AD Group column.
  3. In the panel that opens, click the Delete icon next to the AD Group that you want to remove.
  4. Once the group is deleted, you will receive a notification that the group has been removed successfully.

Manage Portals

Portal page has User management feature added on Portal Administration link. Clicking on Groups section opens up panel to add AD Group.

Administrators can manage all Portal Group assignments to users with AD Groups. Users will get these Portal Groups assigned automatically if their AD Groups are added to these Portal Groups. Below are the specific details:

Manage Portals -Details
Application allows Global Administrator to set one or multiple AD Groups.
Same AD Group can also be added in other Portals.

User will be created in Evolve application when added from Portal page.

Note:

This user will get added if not present as an External IDP User.

Any Portal Group added / assigned manually to a user by App-admin will not be removed by AD Group sync feature.
Administrator can remove a user (added manually or by AD Group sync feature) from any Portal manually . This user will be added to the portal again by AD-Group Sync feature (Sync Job) if the user still present in AD group of the Portal. So it is recommend to remove the user from Ad Groups too.
Adding an AD Group to a Portal will add all the users of the AD Group to this Portal Group.

Remove an AD Group from a Portal will remove all users of this AD Group from current Portal.

Note:

As multiple AD Groups can be added to a Portal-Group, so a user may exists in another AD group of current Portal Group, for such cases these users will remain added to Portal.

AD Group Sync is not applicable for External Type Portals.
Portal group added to Internal Portal will be treated as Evolve IDP if Override settings are kept as False. In that case, same Evolve IDP settings will be used.
For Portal group added to Internal Portal with Override settings as True, IDP settings entered while configuring Evolve will be used. Groups will also be fetched for this IDP.
Windows portal does not allow option for Override settings as cross combination is not possible.
In case Sync operation is performed by adding a job or automatic job scheduled, this will affect all groups added.
Removing or adding users to AD Groups will be applied either by Sync Job or User manual sync action only.
Emails will be separate ones as coming for Users for license assignment. This will include Portal assignment / revoke email format.
Portal of internal type with override settings as false will get synched along, in re-login scenarios in which user automatically logs in and license is assigned / apps assigned, or user created.
Re-login of Portal if done from internal IDP with Override settings false, will sync user created for Licenses and Apps for that group.
Re-login of portal if done from Internal IDP with Override settings true will only assign that particular portal group .

Manage Portal Users with User Sync Feature

Portal administrator can manage Portal Group assignment to users with AD Groups. Users will get these Portal Groups assigned automatically if their AD Groups are added to Portal Group.

Manage Portal Users -Details
AD Group Sync is not applicable for External Type Portals.
Portal page has AD Groups column appearing in grid. Clicking on link section opens up panel to add AD Group.
Note:

To fetch the users in lookup, as set in customer's Active Directory, the following configuration key is added in the Advanced Settings for Active Directory (Windows Authentication):

  • Category – IDPDeletedUserStates

  • Config Key – Windows

  • Config Value - Empty value

By default Empty values will come to support previous builds.

Properties to be referred from table in UserAccountControl property flags - Windows Server

Example – ACCOUNTDISABLE;LOCKOUT

Assignment of Portal

This operation will add all the users of the AD Group to this Portal’s Group.

Assignment Portal -Details
If number of users in AD Group is less than 300, it gets run instantly with screen halted unless operation completes.
If number of users in AD Group is greater than 300, an AD Group Sync job for app group selected gets scheduled which gets processed in background. Status of this job can be checked from System Jobs page.

Revocation of Portal

This operation will remove access to all the users of the AD Group from current Portal.

Note:

As multiple AD Groups can be added to a Portal-Group, so a user may exists in another AD group of current Portal Group, for such cases these users will remain added to Portal.

Revocation of Portal -Details

Users in AD Group will be added in Evolve application when AD group is added from Portal page.

Note:

User will get added if not present as a Portal User (i.e. IDP is set off for this user or external user). This means user having only access to portal and not Evolve site.
Any Portal access assigned manually to a user by Portal Administrator will not be revoked by AD Group sync feature.
Admin can remove a user (added manually or by AD Group sync feature) from any Portal manually . This user will be added to the portal again by AD-Group Sync feature (Sync Job) if the user still present in AD group of the Portal. So it is recommend to remove the user from Ad Groups too.
Emails will be floated for Portal assignment / revoke.
When a user in an AD group configured logs in into Evolve site or client, license assignment / apps assignment, user creation happens as mentioned in License and App assignment section. Now portals of internal type with override settings as False will also get synched along for the user.

Global roles

As a Global Administrator, you can add users to the following administration-related and visitor global roles:
  1. Global Administrator
  2. Reports Administrator
  3. Visitor

Global Role

Description

Global Administrator

Highest level of permissions. Can perform any action on the site related to users, licenses and apps.

Reports Administrator

Can create reports.

Visitor

Can view submitted processes and other supporting documents in the Content menu.

Further information: The Visitor role should not be provided along with any other role; that would grant more access to the Visitor user than is intended. Licenses should not be assigned to users who have only the Visitor role as visitors will not use Studio for script development or review.

Add or remove users

You can add or remove administrators or visitors.

To add users to administration-related or visitor global roles:

  1. Click the Settings menu and then click Administrators.
  2. Click Edit. Select a name from the user drop-down list in the Administration group.
  3. Click Save. You will be notified that the changes have been saved successfully. If the updates do not show, refresh the page.

To remove users from administration-related or visitor global roles:

  1. Click the Settings menu and then click Administrators.
  2. Click Edit. Click the ‘X’ next to each user you need to delete from the Administration group.
  3. Click Save. You will be notified that the changes have been saved successfully. If the updates do not show, refresh the page.

Manage library permissions

You can add or remove groups to manage library permissions. Solutions inherit all permissions associated with the library they belong to.

Library Type

Permission Type

Permission
Transaction

Process Permissions

 

Library Solution Permissions

 

Originator; Data Reviewer

 

​ Solution Developer; Solution Reviewer
Query

Process Permissions

 

Library Solution Permissions

 

Originator

 

Solution Developer; Solution Reviewer

Excel Solution

Process Permissions

 

Library Solution Permissions

 

Originator

 

Solution Developer; Solution Reviewer

Forms

Process Permissions

 

Library Solution Permissions

 

Originator

 

Solution Developer
Reference Data

Process Permissions

 

Library Solution Permissions

 

Originator; Data Reviewer

 

Solution Developer

Permission Types: definitions

  1. Library Solution Permissions manage Solution access for a) development and b) review. See just below for definitions.

    1. Solution Developer. When a Group is added to this permission, the users within that Group can create or update solutions within this library. Example: If it is a Transaction type library, users can create or update Transaction solutions in this library. Note that for this Transaction library example, the user must have the required valid license.

    2. Solution Reviewer: When a Group is added to this permission, the users within that Group can be the solution reviewer – for the solution within this library only. If this is a Transaction type library, these users will be listed in the Reviewers list and the solution submitter can select one of the reviewers to review the solution.

  2. Process Permissions manage either a specific solution or the start of the document process for solutions belonging to a specific library. They include Originator and Data Reviewer permissions; please see just below for definitions.

    1. Originator: When a Group is added to this permission, the users within that Group can submit new solution documents and/or launch a document process or form process for a given solution. By default, solutions inherit this permission from their library. In addition, Administrators can control this permission for a specific solution.

    2. Data Reviewer: When a Group is added to this permission, the users within that Group can participate in the document review process (applicable to Standard Workflow only). If this is a Transaction type solution, the document submit wizard includes these users in the Reviewer list. The document submitter can then select one of the reviewers to review the document.

Add library permissions

To manage library permissions, you must have one of the following global roles or be a part of the following permission groups:

  • Global Administrator
  • App Administrator

To add library permissions:

  1. Click the Apps menu. Go to the app for which you would like to add library permissions and click the icon in the Actions column.
  2. Click Configurations and then click the Manage Libraries tab.
  3. Select the library and click Manage Library Permissions .
  4. Click Solution Permissions and then select groups for Solution Developer and Solution Reviewer permissions.
  5. Click Save. You will be notified that the permissions have been added successfully.
  6. Click Process Permissions and then select groups for Originator and Data Reviewer permissions.
  7. Click Save. You will be notified that the permissions have been added successfully.

Remove library permissions

To remove library permissions, you must have one of the following global roles or be a part of the following permission groups:
  • Global Administrator
  • App Administrator

To remove library permissions:

  1. Click the Apps menu. Go to the app for which you would like to remove library permissions and click the icon in the Actions column.
  2. Click Configurations and then click the Manage Libraries tab.
  3. Select the library and click Manage Library Permissions .
  4. Click the library permissions category ( Library Solutions or Processes) you need to edit.
  5. Hover over the group name and click the ‘X’ to delete that group.
  6. Click Save.

Manage solution permissions

Solutions inherit all permissions of the library they belong to. You can choose to edit the inherited permissions for specific solutions.

To manage solution permissions, you must have the following global roles or be a part of the following permission groups:
  • Global Administrator
  • App Administrator

Edit/change solution permissions

To edit/change solution permissions:

  1. Click the Apps menu. Go to the app for which you would like to edit/change solution permissions and click the icon in the Actions column.
  2. Click Configurations and click on Manage Solutions.
  3. Select the Library from the libraries window and then select the solution for which you want to edit/change permissions.
  4. Click the Manage Permissions button. The Manage Solution Permissions page will appear.
  5. Click the library permission category (Library Solutions or Processes) you wish to edit/change and click Stop Inheriting Permissions.
  6. When prompted to confirm, click Yes.
  7. You can opt to delete permission groups by clicking the ‘X’ next to that group. You can also opt to add another group by selecting it from the drop-down list.
  8. Click Save. You will be notified that the unique permissions for that solution have been updated successfully.