Each user of Metrici is identified by a user logon reference string. Internally, users can also be identified by a numeric user identifier. Perhaps confusingly, the sign in screen refers to the user logon reference as "user id", though internally user identifier always means the internal numeric identifier.
Types of user
There is no concept of user type within Metrici. However, most users fall into one of three categories:
- A normal user. This is a named person who can sign on and do things within Metrici.
- A contributor. This is someone who is contributing to a solution in Metrici, for example completing a survey, who has a smaller number of permissions than a normal user. Contributors may be pre-created, or may be created as a person uses a solution.
- A primary account user. Each account has a primary user who is the main administrator of the account.
Internally, there are users with special roles:
- Account authority. The account authority represents the organisation who provides the account.
There are also four users with special meaning.
- System. This means "the system itself". System never signs in, but is used internally when a user is required.
- Admin. This is the master administrative user of the system. For example, only admin has the permission to create account authority users.
- Public. This is a special user that means "everyone". This is used to set and query public permissions. Only admin can set permissions on Public.
- Anonymous. This is a bit like Public, but only allows read permissions to be set. Anonymous permissions are used to publish public web pages and resources such as images. When using anonymous permissions, the user's identity is masked from page-serving processes, which means that the provider of a page can not identify the users. Anyone can set Anonymous permissions.
Users are arranged into groups.
User groups have names and references, a lists of users. User groups do not nest inside each other.
User groups are used to set permissions and to manage users.
There are three kinds of groups:
- Normal user groups. These are simply lists of users, typically gathered together because they have some common characteristics and similar permissions. Normal user groups can be created and deleted by most users, and users can be directly added and removed from the group.
For example, you might define a xxx-administrators user group, which lists all the users who can administer the account. This is a normal group - users can be added and removed from it directly.
- Owning user groups. Owning user groups are referenced when users are created, and users are typically in only one owning user group. Users can only be added and removed from owning user groups by using the user creation and deletion functions.
Accounts typically have a xxx-users user group, which is an owning user group for all the normal users within the account. Groups of contributors are created using additional owning user groups.
- Individual user groups. Each user has an individual user group, with a user group reference the same as the user logon reference. Permissions or only ever granted to user groups, and the individual user group allows permissions to be granted to just one person at a time.
User group permissions
When a user group is created, it is either created as a normal user group or an owning user group.
- If a normal user group is created, the creator is assigned Administer Usergroup permission. The user can add and remove users from the group, and can grant other users administer permission or permission to grant to the user group and its members.
A user with administer user group permission can delete the user group.
- If an owning user group is created, the creator is assigned Administer Owning Usergroup permission and Own Users permission. The user can create users in the user group. They can grant other permissions associated with owning user groups: permission to create users in the group, permission to sign on as users in the group, permission to grant to the user group and its members, and permission to administer the owning user group.
A user with administer owning user group permission can delete the user group, but only if it is empty. You can not delete a user group that still owns users.
See the next topic for a full reference on permissions.