The "Building Blocks" of Control
25Live employs four major "building blocks" of security control. All are required to effectively use 25Live.
- System Security controls access to the 25Live application. Access is limited to “active” 25Live users via unique user ID and password. System security is the most basic building block of control in 25Live.
- Functional Security controls access to functional areas of 25Live, such as whether or not a user can access the event search function or run reports.
- Assignment Policies control for each location and resource who can assign it to events and when it can be assigned to events.
- Object Security controls access to individual events, event drafts, locations, resources, organizations, cabinets, folders, and reports, and, for locations and resources, the events they’re assigned to.
In addition to these, you have the option of defining notification policies.
Classes of 25Live Users
There are two general classes of 25Live users: Viewers and Users.
25Live Viewers have restricted view-only access to events, locations, resources, and organizations as controlled by the 25Live Viewer Seat, which is the “generic” 25Live user for this user class. Viewers have no 25Live sign-on privileges and no ability to personalize their 25Live user experience.
25Live Users have access to potentially all levels of functionality and objects (event drafts, events, locations, resources, organizations, and reports) in 25Live, as defined by the access permissions of the 25Live security group to which they belong, and they have the ability to personalize their 25Live user experience. Users are further divided into specific 25Live security groups (see Security Groups).
Typical Activities by User Class
A few of the typical 25Live activities of each user class are shown here:
|Activity||25Live Viewer||25Live User|
|View event, location, and resource lists||X||X|
|View calendars and location/resource availability grids||X||X|
|View event, location, and resource details||X||X|
|Submit event drafts, or create events and save them to the Series25 database||X|
|Receive and respond to assignment policy tasks||X|
|Set user preferences||X|
|"Star" important or favorite events, locations, and resources||X|
Definition of a Security Group
A security group is comprised of one or more 25Live users with the same set of functional security, assignment policy, and object security permissions.
Default Security Groups
25Live comes with two default security groups, System Administrators (-1) and Default Users (-2). The System Administrators group has full rights to all system functions and objects. You can’t change the functional or object rights of this security group, but you can add and change its members. The Default Users group typically becomes the default group for LDAP or Shibboleth authentication.
25Live Security Group Templates
The 25Live Administration utility includes several security group “templates” that each have functional security settings most common to a particular group of users. The templates reflect best security practices, and are to be used as guides in setting up your security groups. You may, however, have more or fewer security groups depending on your needs, and the functional access settings of each can be different than the recommendations reflected in each template.
Definition of Access Levels
Access levels define how much access a security group has in each functional area of 25Live (as controlled by functional security), which locations and resources they can assign to events (as controlled by assignment policies), and which objects—locations, resources, organizations, reports, cabinets, folders, events, and event drafts—they can access and possibly act on (as controlled by object security).
Functional Security Access Levels
Functional security access levels control access to the various functional areas of 25Live, as shown in this Events functional security example:
Assignment Policy Access Levels
Assignment policy access levels control the ability to request assignment of or assign a particular location or resource to events.
- Assign, Unassign, Approve allows users in the security group to assign and unassign the location or resource, and receive and act on assignment requests in their 25Live Task List.
- Assign/Unassign allows users in the security group to assign and unassign the location or resource.
- Request/Unassign allows users in the security group to request assignment of the location or resource, and unassign it.
- Request allows users in the security group to request assignment of the location or resource, but not assign it themselves or unassign it.
You can create assignment exceptions to their standard access level for particular security groups as needed. For example, you could create an exception that gives the Student Events security group that can normally only request the Gym 2 location Assign/Unassign privileges to that location just during Homecoming week.
Object Security Access Levels
Object security access levels control the ability to access and act on a specific location, resource, organization, event, folder, cabinet, or report.
- Edit, Delete, Copy allows users in the security group to edit, delete, and copy the object.
- Edit allows users in the security group to edit the object.
- View Only allows users in the security group to view the object.
- Not Visible hides the object from the security group’s view.
Locations and resources have these additional Events object security access levels that control the ability to see the events a particular location or resource is assigned to and potentially assign the location or resource to events or request its assignment.
- Assign/Request allows users in the security group to see the events the location or resource is assigned to, run reports on the location or resource, and potentially assign the location or resource to events or request its assignment.
Note: The ability to actually assign the location or resource to events is controlled by the assignment policy of the location or resource, not this setting. See Assignment Policy Access Levels.
- View Event Availability allows users in the security group to see the availability of the location or resource and the events the location or resource is assigned to, and to run reports on the location or resource.
- Events Not Visible prevents users in the security group from seeing the availability of the location or resource and the events the location or resource is assigned to, and from running reports on the location or resource.
In this example, Events object security access to the Theatre has been set to "View Event Availability" for the security group of which Cybil, Henry, and Jack are members.
Event Object Security Ownership
The user who creates an event with an event state of Tentative or Confirmed has full “Edit, Delete, Copy” access to the event independent of the object security setting on the event for their security group. This remains the case unless another user with “Edit, Delete, Copy” object security access to the event “takes ownership” of it, in which case the object security access to the event by the event creator reverts to that of their security group.
This is not the case for other objects controlled by object security—cabinets, folders, locations, resources, organizations, reports, cabinets, and folders—where the object security access of the object creator’s security group determines that user’s access to the object.
Functional and Object Access Level Inter-Dependencies
- A security group must have at least “Can view” access to a functional area before any related object security access is applied.
For example, if a security group’s functional Resource Access is “Can’t view, Resources tab doesn’t appear in 25Live” and its object access to the DVD Player resource is “Edit,” the security group members won’t see any resources in 25Live, including the DVD Player.
- The object access a security group has to a particular object overrides the functional access it has to the related functional area, if the security group has at least “Can view” access to the functional area.
For example, if a security group’s functional Locations Access is “Can view, Locations tab appears in 25Live” and its object access to location BCC101 is “Not Visible,” the security group members won’t see BCC101 in 25Live.
Object Security and Assignment Policy Access Level Inter-Dependencies
- To be able to request assignment of a particular location or resource for events, a security group’s Events object security permission to the location or resource must be “Assign/Request” and their assignment policy permission must be “Request” or “Request/Unassign.”
- To be able to assign a particular location or resource to events, a security group’s Events object security permission to the location or resource must be “Assign/Request” and their assignment policy permission must at minimum be “Assign/Unassign.”
- To be able to act on assignment requests from other users, a security group’s Events object security to the location or resource must be “Assign/Request” and their assignment policy permission must be “Assign/Unassign/Approve.”
Default Object Security and Assignment Policies
You can set default object security permissions for event drafts, locations, resources, organizations, and reports for each security group. For locations and resources, you can also set default Events object security and assignment policy permissions. The default object security and assignment policy access you set determines each security group’s access to new objects of that type.
For example, if you set the locations default object security of the Athletics security group to View Only and Assign/Request, and leave the default assignment policy access as Request (the system default), when a new location is created, members of that security group will be able to view it and request its assignment to events they create and/or edit.
It is very important that the default object security for each security group for each object type is set correctly for your scheduling environment. Until it is, each group’s default object security permission is set to the system default—Not Visible—which means that members of the security group won’t see any new objects of that type.
Description of Notification Policies
Notification Policies allow you to specify which 25Live users need to be notified when a particular event scheduling activity occurs—the assignment of a particular location or resource, the designation of a particular requirement, the sponsorship of a particular organization, or the creation of an event of a particular type. They specify:
- Who should be notified. You can have one or more 25Live users receive a notification.
- The type of notification: Approval Required or Information Only.
- Whether all recipients need to approve or just one recipient (when notifications requiring approval are sent to more than one user).
When an event is saved, appropriate notifications are displayed in the 25Live Task List of the user whose action triggered the notification and in the 25Live Task List(s) of the notification recipient(s)—as is each recipient’s response to the notification.
Note: Notification policies are not enforced for event drafts.
There are two types of notifications:
- Approval Required: The notification requires approval by the recipient(s). Each recipient has the option of approving or denying the notification request.
- Information Only: The notification is for information only; it requires no explicit action on the part of the recipient(s).
Actions That Trigger Notifications
A notification (either Approval Required or Information Only) can be set up to be generated and sent to the Task List(s) of 25Live user(s) based on any of these event scheduling actions:
- Creation of an event of a particular event type
- Assignment of a particular location or resource to an event
- Association of a certain organization with an event
- Association of a certain requirement with an event
Approval By “at least one” vs Approval By “all”
You can elect to require approval from at least one or approval from all notification recipients. This makes it possible to indicate that:
- If the main approver is out of the office, one of the backups can reply to the notifications.
- If two people have the same authority, either of them can reply to the notifications.
- Multiple people must reply to certain notifications.
Where Notification Policies Are Set Up
Where you set up notification policies in the 25Live Administration Utility depends on what action you want to trigger the notification. Notifications are triggered automatically when any of the information illustrated below is saved with an event.