Purpose:
Permission sets in FOLIO are built to allow local user administrators to quickly authorize users to perform functions in FOLIO. This document describes policies for creating new permission sets and managing existing permission sets
Scope:
...
The creation of new permission sets and continued maintenance of existing permission sets
Description:
Permission Sets were initially built based on workflows used by 5C Libraries and minimum permissions that would allow a user to perform a function without an error. They were intended to be flexible enough that 5C members could assemble combinations of permissions for their users while still allowing the sets to be centrally administered.
...
FOLIO Domain is an informal group of related modules in FOLIO. When multiple modules are used as part of a single workflow OR a module requires another module to function, they are considered a domain. Examples would include Organizations, Orders, Invoices and Receiving, as Orders domain; or Orders, Agreements, eHoldings and Organizations, as E-resource management domain.
Creation and maintenance of Permission Sets
As FOLIO continues to evolve, it will be necessary to add or remove permissions from permission sets. This is necessary either to grant users access to additional functionality as new features are added, or to maintain existing functionality as application permissions change.
Permission sets have been designed to allow users to perform all steps of workflows in a FOLIO Domain with a single set.
Example: an agreement workflow requires creating and assigning an organization, therefore the permission set should include both create agreements and create organizations
If a module will raise an error if a user tries to perform a function because permission for another module is required, then that permission should be included in the set
A set should always include the minimum permissions required to do the task
Example: If a workflow requires create/edit/view an order, and view a User, the permission set should only grant the ability to view a user (the minimum permission) but to create/edit/view an order (a high level permission)
Permission sets are designed to have degrees of permission to allow higher level tasks to be performed
Each higher level permission set should include the lower level permission set for ease of management
Invisible permissions should never be mixed with permissions in a set
Add-On sets
In some cases it may be preferable to grant permission sets that do not meet the above criteria. These “Add-On Sets” are only valid with the use of other sets.
...
The most common use case for this is Data import. Data import requires a large number of permissions to function, in addition to permissions required to access the app. It is used by a small number of users.
Invisible sets
Invisible permissions should only be created under special circumstances, the most common of which is when a permission does not include all the needed invisible, immutable permissions. Because there may be errors that occur if a permission and invisible permission are included on the same set, invisible permissions should be grouped into a permission set, and that set should be assigned as necessary.
Integration Users
Third party FOLIO integrations typically require a FOLIO user to perform their functions. This user requires permissions like any other user. A FOLIO integration can perform any function a user can perform, but lacks the restrictions of working in a user interface, and may circumvent business logic. Integrations are designed for one purpose and will not need the full range of permissions that a user has in the FOLIO User Interface.
Integration Users should only be given the permissions needed to function. They should not be given permission sets.
In extreme cases where integration requires a permission that grants overly broad access, a more limited invisible permission may be considered.
See Integration usersfor more information