14 Replies Latest reply on Aug 9, 2019 9:29 AM by tmaurer

    Read only permissions

    Mark Mazza

      Hi, is it possible to create a Read Only permissions group?

       

      We have to prevent a number of our colleagues in Regulated roles from accessing Jive for compliance purposes.  I want to see if I can give them read only access which would mean they'd be able to see all content they had access to on Jive but they wouldn't be able to contribute to it or create their own groups or any content types (including the ability to private message people).

       

      I've had a look around here and played about in the Admin Console with User Overrides but can't get anything to work the way I want it.

       

      Any guidance gratefully received.

       

      Thanks

      Mark

        • Re: Read only permissions
          Helen Chen

          I would think this is possible but would take some planning.  If you are using All Registered Users or Everyone for generic permissions, you can't remove permissions already granted. You would have to be very specific about where you are granting permission and what permissions you gave them. 

          1 person found this helpful
          • Re: Read only permissions
            oonagh.m

            There was another thread about this somewhere but I can't find it.

            The platform isn't really designed to do this, but we've had to restrict people this way as well. You can create a permission group for your regulated users, and go through each space in your community, assign them to it and give them read only permission. This takes time, especially if you've got a lot of spaces, and I don't think it would apply if you use public groups, but that's how we've restricted people before.

             

            ETA: AHA! Re: Does anyone know if it is possible to give a user view-only access within Jive? 

            2 people found this helpful
            • Re: Read only permissions
              XMaskuli
              Helen Chen and Oonagh McQuarrie are correct.
              The permissions are possible, but it would take planning and have some limitations.

              The easiest way would be to have a user group that includes all users except for your Regulated users, and use that to define the normal access controls for space content and ability to view groups. You could then use the System default user group (All Registered or everyone), or a defined user group for your regulated users and set those permissions to be view only in Spaces, and limit other areas (ability to view Groups, comment on community content, etc...)
              2 people found this helpful
                • Re: Read only permissions
                  Helen Chen

                  Yes, I thought about the logistics at one point and decided that it was going to be a significant level of effort rearchitecting all of my places and permission groups for a handful of limited access users in my already established community.  It could be feasible with some planning in a new community.

                  • Re: Read only permissions
                    michelle.gantt

                    I believe there is also a limitation on the number of users you can bring into that Unregulated permission group - we've tried this with other customers in the past and the AD group balked at around 10K users in the group. That was awhile ago so maybe things have improved - but this means for 90K employees you'd need to add all 9 of those permission groups to all spaces (luckily, Mark, you don't really have spaces).

                     

                    But you can't have any open groups - all groups would have to be private or secret - or else the regulated group would have to be given no access at all to open or members only groups....View in groups means that you can fully participate.

                    1 person found this helpful
                  • Re: Read only permissions
                    christopher.wilson@windstream.com

                    If it's a small enough group of users, you could "ban" them at a "Disable Post" level. It sounds harsh, but you're basically just giving them read-only access to your instance.

                     

                    4 people found this helpful
                    • Re: Read only permissions
                      Mark Mazza

                      Thanks everyone for your responses, it's very much appreciated.  And sorry for the delayed response, I've been in and out on holiday these last few weeks.

                       

                      We have around 500 users (out of our total user base of 90,000) who I would like to provide Read Only access to.  We would also prefer them not to be able to view or participate in private or secret groups.

                       

                      We only have one Space they'd need access to.

                       

                      We manage access through single sign-on and at the moment a single AD group.  Currently we prevent these colleagues from being added to this AD group but the odd one does slip through when they've moved from a non-regulated role into a regulated role so we have to perform regular sweeps to remove them.

                       

                      We want to switch our people directory from SharePoint into Hive and decommission the SharePoint version (it's a standalone 2010 instance separate to our SP07 soon to be replaced by O365).  But unless I can find a way to allow these 500 odd colleagues to use Hive search without being able to create content / comment on other peoples content or messages I'm stuck.

                       

                      Of the suggestions above does Chris Wilson's sound the most practical and will fit these requirements?  Would a user still be able to update their profile but not send messages and comment if I disabled their posts?

                       

                      Many thanks

                      Mark

                        • Re: Read only permissions
                          michelle.gantt

                          Thanks Chris Wilson for reminding me about this little-used function. Have you used it - and does it ban the user from posting any ind of content? This is a very old admin console page and the word "post" may be just for discussions - so worth testing to see if it also includes other content types and commenting.

                           

                          Mark, you'd still need to remove ARU from any spaces that they shouldn't have access to and do something about the open groups.

                           

                          Direct messages can be disabled for individuals and permission groups on the people > settings > home page permissions page. I am not sure (maybe someone else knows) if you need to remove ARU in this case - some of these permissions are not additive like they are in the space permissions.

                            • Re: Read only permissions
                              christopher.wilson@windstream.com

                              Sure, Michelle.

                               

                              We have used this function for a year or so, and really, for the intended purpose. We had two, um, "protected" employees who were doing fun things like picking fights with our CEO in comment threads , so we put this tool to use. We didn't want to take away their access to critical company news or, say, essential HR content, but we needed to take away their ability to type words and have them show up in our community.

                               

                              It's done exactly that. They can see everything they have permission to see and can perform basic social interactions such as liking, etc., but they cannot so much as leave a comment. In terms of profile control: They no longer have "bio" fields, but they can do certain things like update their profile photo. To whit :

                               

                              Anyway, I would do some testing Mark Mazza, but I think this could be a really effective workaround for your use case.

                              2 people found this helpful