Technical Advisory: Adjustments to the Manage Properties Permission

Avatar

Avatar

thebenrobb

Employee

Avatar

thebenrobb

Employee

thebenrobb
Employee

05-03-2021

If you’ve ever seen the inside of the Admin Console for Launch Client Side or Launch Server Side, you’ve probably seen the Manage Properties right under the Company Rights tab.

mp-manage-properties.png

Any users who belong to a group with this Permission Item can create new properties, edit the settings on existing properties, and delete properties. 

However, there’s another tab where you can select from a list of all existing properties and limit the group’s access to a specific subset of properties. 

mp-permission-items.png

The interaction between these two sets of rights creates a strange scenario, where any time you had a group with the Company Rights > Manage Properties right and Properties > Auto-include: Off, those users can create new properties, but cannot see themThat’s weird. 

We’re fixing this, but it requires a tweak to what the Company Rights > Manage Properties right allows you to doGroups with Properties: Auto-include: On will not be affectedGroups with Properties: Auto-include: Off will see the effects of this change and should evaluate if they want to make modifications to their permission assignments. 

The Change

At the most basic level, we are changing the Manage Properties right to implicitly include the ability to view all propertiesManage Properties will allow you to create, read, edit, and delete any property within the company.  While this technically expands the capabilities of those who have this right (an addition of privilege), the change will align it with what most customers expected to it to do in the first place. 

Note that the change does not grant the ability to edit any resources within any propertyThat capability is associated with the Property Rights > Develop right, so you’ll have to have that as well if you want to change any resources within any of your properties. 

This change increases the scope of the Manage Properties right, however, we still wanted to preserve the ability to meet more granular permission scenarios, so we are also adding a new right under the Property Rights tab called Edit Property.

mp-edit-properties.png

All rights in this section apply only to the properties selected under the Properties tab. This new right allows you to edit any properties selected there 

As an example, granting this right to a group that also has Properties > Auto-include: On would allow these users to edit the settings of any existing properties, but they would not be able to Create or Delete any other properties. Only the Company Rights > Manage Properties right can do that. 

Granting this right to a group that only has access to Property A, Property B, and Property C will allow these users to edit the property resource only for Property A, Property B, and Property C. It will not allow them to edit any other properties, nor will it allow them to create and delete other properties. 

This new right will not be automatically added to any groupsIt is simply available for assignment to any groups by anyone with proper access to the Admin Console.

Considerations

It is probable that at least a few customers know exactly what the existing behavior does and have deliberately set Properties > Auto-include: Off to allow users to edit the property resource, knowing that it would also allow the creation of new properties that they couldn’t see. 

This change will make it so that those users can now see the properties that they created – along with all other propertiesMore importantly, those users will also be able to delete any existing properties because they can see them now 

The new Property Rights > Edit Property right allows the old capability, but without any of the unintended consequences. Administrators should evaluate whether they want to change their existing permission sets before or after this change is made. 

Other Communications

Users who belong to a group that is affected by this change (groups with Company Rights > Manage Properties and Properties > Auto-include: Off) will receive an email with a summary of the changesIf you receive this email, you should work with your company’s Admin Console users to figure out if you want to make any changes. 

Conclusion 

We are making this change to align the behavior of Platform Launch with our user’s expectations, but also realize that it may require adjustments on for some our customers. We expect the change to be made within the next 4 weeks, towards the end of March or beginning of April (I'll update this post when we know the exact date). I apologize for the inconvenience, but believe the change has a net positive impact for our customers and users. 

Happy tagging!