# Permissions

About users, groups and how to control access

# User creation

Users can be created both in frontend and the designer

## <span class="mw-headline" id="bkmrk-designer-user-creati-1">Designer user creation</span>

### <span class="mw-headline" id="bkmrk-creating-users-1">Creating users</span>

Users are created in one of the following places:

- DESIGNER &gt; Users &gt; Add new user
- DESIGNER &gt; Users &gt; Edit users &gt; Add
- DESIGNER &gt; Users &gt; Mass create

During creation remember til check the "Active" checkbox, if you want the user to be available right away. Note that this will trigger the automated Welcome message for the user. Sending this messsage for inactive users after the initial creation, will require you to manually check of the options "Reset password and email to user" and "Include welcome message".

### <span class="mw-headline" id="bkmrk-customizing-messages-1">Customizing messages</span>

The user messages can be configured in:

- DESIGNER &gt; Modules &gt; Static content &gt; "Template.WelcomeUser"
- DESIGNER &gt; Modules &gt; Static content &gt; "Template.PasswordReset"

For user invitations / password resets the following tags will be populated

- {APPLICATION}
- {LOGINURL}
- {USERNAME}
- {PASSWORD}

## <span class="mw-headline" id="bkmrk-frontend-user-creati-1">Frontend user creation</span>

Normal users can be allowed to create new users, if their profile allows it.

- DESIGNER &gt; Users &gt; Edit users &gt; \[user in question\] &gt; "User creator/editor"

Having this permission the user can create users, by pressing the "create user" button in the main menu. The dialog will prompt for basic user information, as well as which groups the new user should be a member of.

The following restrictions apply

1. Exclusive group will allways be copied
2. Only groups to which the creator belongs may be used
3. At least one group memebership must be cloned

After the user is created a welcome message will be sent to the user.

Note: It is not possible for normal users, to edit other users after they are created.

# User Group Membership

Tempus Serva uses a classic permission structure with some minor extensions

**Users**

- User profiles can be bound to existing AD/LDAP repositories
- Special properties on users include 
    - Administrator: Allow access to backend
    - Data handler: Bulk upload data
    - User creator

**Membership** is the relation between a user and a group

- Previous membership are logged in the database for forensic purposes

**Groups** are list of users tied to certain permissions in solutions

[![image.png](https://docs.tsnocode.com/uploads/images/gallery/2025-08/scaled-1680-/dpw4oJBDwV3MJrB5-image.png)](https://docs.tsnocode.com/uploads/images/gallery/2025-08/dpw4oJBDwV3MJrB5-image.png)

## <span class="mw-headline" id="bkmrk-subgroups-1">Subgroups</span>

If the policy doAdvancedGroupSecurity is enabled subgroups is enabled. Eg. groups can be nested under each other.

### <span class="mw-headline" id="bkmrk-assigned-groups-1">Assigned Groups</span>

When using subgroups with Assigned groups, the parent group gains access equal to all the subgroups.

This can be used to create a super-user group that has all other groups as subgroups, thus allowing access to the entire system, without granting the super-user group direct access.

### <span class="mw-headline" id="bkmrk-exclusive-groups-1">Exclusive Groups</span>

When using subgroups with Exclusive groups, the parent group gets access to all records tagget with the sub-groups.

This can be used to create sub-departments and having a supervisor with access across.