Permission System

PBS Knowledge uses a role-based access control (RBAC) system combined with group-based permissions to control who can access and modify data.

Permission Model

Layers of Access

Access is determined by three layers:

Base Role - Assigned at login (student, faculty, staff, admin)
Group Membership - Additional permissions through groups
Resource Ownership - Control over your own data

Permission Hierarchy

Full System Access (Admin)
    │
    ├── Department Admin
    │   ├── Manage People
    │   ├── Manage Degrees
    │   └── Manage Groups
    │
    ├── Faculty
    │   ├── View Students
    │   ├── Manage Own Profile
    │   └── Approve Milestones
    │
    └── Student
        ├── View Own Data
        └── Edit Own Profile

Base Roles

Role Definitions

Role	Description	Default Permissions
admin	System administrators	Full system access
faculty	Teaching/research faculty	View students, manage profile
staff	Department staff	Manage profiles
student	Current students	View/edit own data
user	Authenticated without role	Minimal access

Role Assignment

Roles are assigned:

Automatically from Dartmouth SSO attributes
Manually by administrators
Through group membership

Available Permissions

Core Permissions

Permission	Description
`full_system_access`	Complete administrative access
`manage_profiles`	Edit any person's profile
`manage_groups`	Create and modify groups
`manage_degrees`	Configure degree requirements
`manage_programs`	Administer academic programs
`manage_courses`	Course and section management
`manage_publications`	Publication administration
`manage_email_system`	Email template management
`access_undergraduate_data`	View undergraduate records
`access_graduate_data`	View graduate records

Permission Checking

The system checks permissions in order:

Is user an admin? → Full access
Does user have specific permission? → Granted
Is user in a group with permission? → Granted
Is user the resource owner? → Limited access
Default → Denied

Groups

What Are Groups?

Groups are collections of users with shared permissions:

Department Committees - Curriculum, admissions
Program Groups - PhD program, honors program
Administrative Units - Front office, advising
Research Groups - Labs, centers

Group Structure

Each group has:

Name - Identifying name
Description - Group purpose
Members - Users in the group
Chair - Group leader (optional)
Permissions - Granted permissions
Status - Active or inactive

Group Permissions

Groups can be assigned any combination of permissions:

Undergraduate Committee
├── access_undergraduate_data
├── manage_degrees
└── manage_email_system

Managing Groups

Creating a Group

Navigate to Admin → Groups
Click Create Group
Enter group details:
- Name
- Description
- Active status
Add initial members
Assign permissions
Save

Adding Members

Open the group
Go to Members tab
Click Add Member
Search for the person
Select their role in the group
Click Add

Group Roles

Members can have roles within groups:

Role	Capabilities
Chair	Full group management
Member	Receives group permissions
Observer	View-only access

Assigning Permissions

Open the group
Go to Permissions tab
Check permissions to grant
Save changes

Special Access

Resource Ownership

Users always have access to:

Their own profile
Their own publications
Their advisees (for faculty)
Their academic data (for students)

Inherited Permissions

Some permissions are inherited:

Lab PI → access to lab data
Thesis advisor → access to advisee thesis
Course instructor → access to enrolled students

Auditing

Permission Audit Log

Administrators can view:

Permission changes
Group membership changes
Access attempts
Administrative actions

Viewing Audit Log

Go to Admin → System → Audit Log
Filter by date, user, or action type
Export for compliance reporting

Best Practices

Least Privilege

Grant minimum necessary permissions
Use groups rather than individual grants
Review permissions regularly
Remove access when roles change

Group Management

Create groups for natural organizational units
Keep group membership current
Document group purposes
Review group permissions annually

Troubleshooting

Access Denied

If a user can't access something:

Check their base role
Verify group memberships
Confirm required permission
Check resource ownership
Review audit log for denials

Permission Not Working

If granted permission isn't working:

Ensure user signed out and back in
Check permission is assigned correctly
Verify no conflicting group membership
Contact administrator for assistance

Permission Model​

Layers of Access​

Permission Hierarchy​

Base Roles​

Role Definitions​

Role Assignment​

Available Permissions​

Core Permissions​

Permission Checking​

Groups​

What Are Groups?​

Group Structure​

Group Permissions​

Managing Groups​

Creating a Group​

Adding Members​

Group Roles​

Assigning Permissions​

Special Access​

Resource Ownership​

Inherited Permissions​

Auditing​

Permission Audit Log​

Viewing Audit Log​

Best Practices​

Least Privilege​

Group Management​

Troubleshooting​

Access Denied​

Permission Not Working​