Access to a kit
A continuity kit is composed of a kit resource and an associated bucket.
Access to the kit is done through Policies.
Overview
As an administrator, you can give various access rights to the kit.
The list of permissions applicable to the kit can be found here in the Kits section
Generating kit policies
You can generate policies by opening a kit, clicking on the "..." button and "Technical details". From there, if you have the rights to create policies, you'll be able to generate policies based on your needs.
This is an helper and you are free to modify to suggested rights generated, according to your needs.
Execution time permissions
Overview
Roles
Astran offers 3 roles that will ultimately apply to the steps of your process' checklist.
Manager have the ability to do all actions on a step and edit the steps permissions. It is requested to have a defined manager per step ; this can be done at kit edition or kit execution time.
Contributor can view a step, enter data, run automations, skip the step (if it has been configured as 'skippable'), rework the step. The sole difference with Managers is that they aren't allow to modify the step's permissions
Viewers can view a step. This means they can see the data entered, the history of the step, but also access any file that has been referenced in the step (even in case they do not have the underlying rights to access the associated file in the bucket).
This summarizes the list of actions that can be done by role:
| Action | Manager | Contributor | Viewer |
|---|---|---|---|
| View a step content | ✅ | ✅ | ✅ |
| View a file referenced in a step | ✅ | ✅ | ✅ |
| View the result of an automation | ✅ | ✅ | ✅ |
| View associated tasks and comments | ✅ | ✅ | ✅ |
| Create associated tasks and comments | ✅ | ✅ | ✅ |
| Enter data in a form | ✅ | ✅ | 🚫 |
| Upload a file in an input | ✅ | ✅ | 🚫 |
| Skip a step (if skippable) | ✅ | ✅ | 🚫 |
| Mark a step as complete | ✅ | ✅ | 🚫 |
| Rework a step | ✅ | ✅ | 🚫 |
| Edit step permissions | ✅ | 🚫 | 🚫 |
Inheritance
Roles can be defined in 4 places:
- At kit level, in the kit edition
- At step level, in the kit edition
- At kit level, when launching an execution
- At step level, in an on-going execution
Configuration
When editing a kit, administrators can update the users/groups associated to a role for the kit or for the step.
If roles are filled at step level, they take precedence over the ones defined at kit level.
We recommend configuring all the users/groups associated to each role at kit edition level to remove any friction at execution time.
Runtime
When executing a kit, users can be prompted to define managers and other roles associated groups/users according to the following rules:
| Kit level definition | Step level definition | What the user will be asked when launching the execution |
|---|---|---|
| Manager is defined | ø - Manager is inherited | No user input: the manager defined will be used |
| Manager is not defined | Manager is defined in all steps | No user input: the manager defined will be used for each step |
| Manager is not defined | Manager is defined in some steps | User input needed to have manager in the steps which have no manager defined |
| Manager is not defined | Manager is not defined | User input needed to have manager in all steps |
| (Contributor or Viewer) is defined | ø - (Contributor or Viewer) is inherited | No user input: the (Contributor or Viewer) defined will be used |
| (Contributor or Viewer) is not defined | (Contributor or Viewer) is defined in all steps | No user input: the (Contributor or Viewer) defined will be used for each step |
| (Contributor or Viewer) is not defined | (Contributor or Viewer) is defined in some steps | User can input (Contributor or Viewer) (optional) |
| (Contributor or Viewer) is not defined | (Contributor or Viewer) is not defined | User can input (Contributor or Viewer) (optional) |
A Manager of a step can updated the permissions of this step once the execution has been created. This will affect only this execution.
Limitations
Administrator of the system
Beware that users which are 'super admin', i.e. with wild card policies on all actions/resources, will have the ability to perform all actions on all steps, even if they are not explicitely referenced in the Manager group.
We recommend redefining your own policies to restrict administrators' rights if this is considered as necessary in your internal control policies.
Restrictions of users per role
You are not able to define a set of users at kit level and then remove all of them on a given step. You can only decide to restrict the list of users/groups for a given role but you cannot reduce it to an empty set.
Execution and access to the kit
It is necessary for a user who wants to execute a kit to have access to this kit. This means the user needs both ck:GetKit and ck:ExecuteKit actions to be allowed on the kit.