Thursday, March 26, 2015

Introducing the ACLator: fine-grained control over all the things

We are pleased to announce the release of the Permissions and Access Control List Editor, which we've pet-named the ACLator.  Think "Ack-ell-a-tor" using an Arnold Schwarzenegger voice.

The ACLator places the power of fine-grained access control squarely in your hands.  By default, users have limited, read-only privileges on queues of which they are members - just the minimum for staffing.  From those humble beginnings, users are commonly elevated to full administrative access across an account or to administrative access within a subset of the account.  But it doesn't stop there!  You can grant or deny read and/or write privileges to most anything to anyone - and yes, even to LH3 users outside your account.  That last part has super-exciting implications and really deserves it's own blog post.  But we'll get to that in a bit.  And as always, there is no extra charge for any of this new goodness.

Groups & Folders -  The Building Blocks of Access Control


If you've ever used the admin dashboard to manage users or queues, then you've probably noticed folders.  Folders organize users, queues, conference rooms, canned messages, chat snippets, chat skins, and knowledge bases (FAQs) into a collection of resources.  Folders can also have child folders, allowing you to build hierarchies of resource collections.

A group is a collection of users with the same access privileges to a set of folders.  There are two special groups that every LibraryH3lp account has - Everyone and Administrators.  The Everyone group automatically includes every user within the LibraryH3lp account and provides the basic read-only privileges that make staffing possible.  The Administrators group contains all users that have full administrative access to the LibraryH3lp account.  From there, you can create your own groups with customized access to the resources within your LibraryH3lp-powered service.

As an administrator if you navigate to the ACLator (US, CA, EU, SG), you'll see a list of all groups for your account.  You can manage groups (add, rename, delete) using the button toolbar above the list.

Example list of groups in the ACLator.  The management toolbar is located above the list.

Managing Membership


When you click on a group from the list, you'll see a Members tab that lists the members of a group.  The default view is a flat list, but you can switch to a tree view that reveals the folder hierarchy.  Beside the view toolbar is a button that lets you add or remove members.

Members for an Administrators group.  The membership management buttons are located above the member list.

The ACLator makes granting users full administrative privileges easy.  Click on the Administrators group as shown in the screenshot above.  Then click the add/remove members button to make your changes.  Yep.  That's it.

Using the ACLator to Isolate Departments


How about extending your LibraryH3lp subscription to include other departments, but not giving the departmental administrator the full keys to your entire kingdom?   We call these users mini-admins.  Mini-admins can manage their own resources but cannot see any data (including transcripts) for the rest of the account.  Their view of the world is capped at their own folder.

Let's set up a mini-admin in 5 easy steps!

  1. Visit the Users page of the admin dashboard and create a new folder.  
  2. Add a new user within the folder.  You can use drag and drop if needed to get the user situated. 
  3. Head over to the ACLator and create a new group.
  4. Add the new user as a member of the new group.
  5. Click the Permissions tab and select your newly created folder containing the mini-admin.  Click Grant for read and write access.
The screenshots below shows how the ACLator Members and Permissions tabs look when it is all said and done.

The new user is part of the mini-admin group. 

Granting mini-admin privileges on the "mini-admin" folder.

When a new mini-admin user logs into the admin dashboard, they'll be able to create their own users, queues, knowledge bases (FAQ sites), conference rooms, canned messages, chat snippets, chat skins, and administrative hierarchies within their own restricted subdomain.  Since a mini-admin's view is capped at their own folder, they won't see their parent folder since that is beyond their administrative access.

Building Collaborative Services


Within the ACLator, you probably noticed the Collaborators tab.  This tab let's you manage access control for LibraryH3lp users outside your account.  Awhile back, we talked about how you can build ad-hoc collaboratives with LibraryH3lp.  The Collaborators tab lets you build collaborative services on-the-fly!  The ability to self-organize is unprecedented in the world of virtual reference software, removing the need for any middle man to form collaboratives.  In an upcoming post, we'll walk you creating and managing an ad-hoc collaborative.  Stay tuned.

No comments: