Previously, we used Okta groups to manage all permissions, with one group per permission. This quickly became unsustainable however as the number of highly granular permissions grew.
As of December 2021 we now use a custom Profile attribute to manage user permissions.
To grant a user access to the applications
From the Okta admin page, to to Directory → People
Find and click on the user
Click the Groups tab, then search for the group “UKRDC”
Click the UKRDC group, and it should be assigned to that user
Adding a user to the UKRDC group will grant them access to log into the UKRDC web application, but without also granting resource permissions they won’t be able to access any data. See below.
To grant a user permissions to specific resources
From the Okta admin page, to to Directory → People
Find and click on the user
Click the Profile tab, then click Edit
At the bottom of the page, assign both UKRDC Permissions, and UKRDC Units
Any user with at least Read Records permissions will automatically be added to the UKRDC group, granting them access to log into the Live UKRDC web interface.
Modifying available permissions/units
This should only be used by developers when adding a new permission type to the API, e.g. managing access to an entirely new category of resource/data
From the Okta admin page, to to Directory → Profile Editor
Edit the User (default) profile template
Scroll down and edit (pencil icon) UKRDC Permissions or UKRDC Units
Add any extra items to Attribute Members
Note: The ‘value’ is what will get added to acces tokens. Display Name is just for the profile editor.