1. AMP: Audiovisual Metadata Platform
2. Documentation
3. For System Administrators

Access Control

In addition to the hard-coded Administrator role, AMP provides 5 roles. These roles are assigned at the unit level, which means that the permissions one has for a specific unit are valid only for collections within that unit. In version 1.0.0 of AMP, each of these roles comes pre-configured with a default set of permissions. In the next release, system administrators will be able to configure these roles using a spreadsheet.

1. Unit Manager - full permissions within a unit
2. Collection Manager - full permissions within unit except for editing unit
3. Collection Staff - manage content within the unit, but not manage workflows
4. Collection Helper - edit items within the unit, but cannot delete anything, play content files, use evaluation module
5. Unit Viewer - view only

In addition to these roles shared across the AMP installation, each unit can have 2 customizable roles, the Unit Staff and Unit Helper,  which allows units to configure different permissions based on different human workflows. These roles do not exist for a unit until the permissions are configured in the user interface. By default, only the Unit Manager role can configure these unit-level roles.

Table of Contents

• Global Roles and Permissions
• Assign Users to Roles
• Configure Unit Roles
• Best Practices for Configuring Roles

Global Roles and Permissions

In AMP, each role is configured by assigning individual permissions to that role. Nearly all actions in AMP are discrete permissions. In the AMP 1.0.0 release, the 5 global roles have a set of default permissions that cannot be customized.

To learn what permissions are available to each role, view the ac_role_action.csv spreadsheet. The spreadsheet contains a list of permissions (actions) and the lowest level role that is able to complete that action. There is a hierarchy of roles as numbered above, where the Unit Manager role is the highest level role and the Unit Viewer is the lowest level role. For example, if the Collection Helper role is set for the "create item" action in the spreadsheet, all higher-level roles (Unit Manager, Collection Manager, and Collection Staff) can also perform that action.

The next release of AMP will allow system administrators to configure the ac_role_action.csv sheet in order to customize which roles have the various permissions.

For more information about what the different permissions actually control within the AMP user interface, see the spreadsheet with the descriptions of all permissions (actions) within AMP as of the 1.0.0 release.

Assign Users to Roles

To assign users to either global or unit level roles, a user with Administrator or Unit Manager privileges should navigate to a specific unit and select the "Assign Roles" button.

In the Select User box, search for system users via first name, last name, or username. The system will suggest existing users. Select the correct user from the drop-down and click Add.

Don't forget to select a role for the user and click Save below the list of users to save your changes.

To un-assign a user from a role, simply un-check the box next to the role and click Save.

If a user is assigned to 2 permissions within a single unit, they will receive the higher level permissions (ex: unit manager instead of collection helper).

Configure Unit Roles

To configure the Unit Staff and Unit Helper roles, which are specific to each unit, a user with Administrator or Unit Manager privileges should navigate to a specific unit and select the "Unit Roles Settings" button.

Use check boxes to turn on specific permissions for the Unit Staff and/or Unit Helper role. Note that users assigned to these roles will have no permissions by default, only those that are activated here. Look for these permissions in the sample spreadsheet to learn more about what they do.

When you are done, click Save at the bottom of the list of permissions.

The Unit Staff and Unit Helper roles will not be available to assign to users (and will not exist in the database) until you configure and save them in this section.

Best Practices for Configuring Roles

AMP has a great deal of flexibility in assigning discrete permissions to roles. However, it is be sure to assign permissions in ways that make sense. For example, if you give a user permission to create an item, but not edit it, the user won't actually be able to create the item because it requires using the edit item page in the user interface.

A few specific recommendations for assigning permissions are included in the list of all permissions.

Attachments:

image2023-9-5_15-48-36.png (image/png)
image2023-9-5_15-50-46.png (image/png)
image2023-9-5_15-52-3.png (image/png)
Screen Shot 2023-09-05 at 3.55.19 PM.png (image/png)
4D71A317-20BC-42AB-B3C8-514F8CEF0704_1_201_a.jpeg (image/jpeg)
image2023-9-5_16-5-33.png (image/png)
image2023-9-5_16-6-42.png (image/png)
ac_action_with_comments.csv (text/csv)
image2023-9-5_16-44-37.png (image/png)
ac_role_action.csv (text/csv)
ac_action_with_comments.csv (text/csv)\

Document generated by Confluence on Feb 25, 2025 10:39