Groups are the central way to control access in Sapera. You divide your users into groups, and it is the group that determines what the members may see and do in the system. You can for example create the groups "Warehouse employees", "Accounting team", "Cashiers" and "Administrators" and give each group exactly the permissions it needs.
Instead of assigning permissions to each individual user, you set the permissions once on the group. When a new employee needs the same access as their colleagues, you simply add the user to the right group.
Open Financial from the hamburger menu, and go to Security and then Groups. You now get an overview of all the groups created in Sapera.
If you cannot see the menu item, you probably lack permissions to manage security. Contact support if you believe you should have access.
In the overview, the groups' display name is shown. You can also display the columns Id and Last updated by, but they are hidden by default. If you have many groups, you can use the search function at the top to find a specific group — see How to search in lists.
Click the button with the white + at the top of the Groups page. Fill in the fields, and click Save.
Name: The system name of the group. This is the name Sapera internally recognizes the group by. The name is required and must be unique — you cannot reuse a name that is already used by another group or by a user. For system groups, the name cannot be changed.
Display name: The name shown in Sapera. This is the name your employees see. The field is required.
Description: A free text field where you can describe the group's purpose.
Select the group in the list, and click the pencil button — or double-click directly on the row. The edit screen opens, where you can correct the group's information and work with the tabs described below.
When you are done, you click Save to save your changes or Cancel to discard and close without saving.
Note that the system groups Administrators, All and Users have limited editing options. Their system name cannot be changed, and they cannot be deleted (see below).
Select the group in the list, and click the delete button.
A group can only be deleted if two conditions are met:
It must not be a system group. Administrators, All and Users are fixed system groups and can never be deleted.
It must not have members. If the group still has users or other groups as members, you get an error message indicating at which levels there are members. Remove all members first (see the Members per OU tab), and then try to delete again.
The Permissions tab is the core of a security group. This is where you determine what the group's members are actually allowed to do in Sapera.
You set up two kinds of permissions:
Content permissions control which data and which parts of the system the group has access to.
Function permissions control which actions the group's members may perform.
Assign only the permissions the group actually needs. This is where the difference between, for example, a cashier and an administrator is decided. A user gets the sum of the permissions from all the groups the user is a member of.
On this tab you see and control which other groups this group itself is a member of. A group can thus be a member of another group and thereby inherit its permissions. This makes it possible to build up permissions in layers — for example, a specialized group can be a member of a more general group and get its base permissions on top of its own.
Here you add and remove the group's members — both users and other groups. The members are divided by organizational units (OU), so you can manage membership per unit.
This is also where you remove members before you can delete a group.
This tab gives a combined overview of all the group's members — both those who are added directly, and those who are inherited through membership of underlying groups. Use it to quickly see who ultimately has access via the group.
The Group info tab shows traceability information about the group:
Created by and Created on show who created the group, and when.
Updated by and Updated on show who last changed the group, and when.
Group id shows the group's unique id in the system.
The three member tabs — Group membership, Members per OU and All members — are only shown if you have permission to change members in groups (technically controlled by `canChangeTrusteesInGroup()`). If you lack this permission, you do not see the tabs. Similarly, the button for token period settings below requires permission to read settings (`canReadSettings()`). Contact support if you expect to see tabs or buttons that are not available.
In the edit form there is a Settings button that opens the dialog for token period settings. The button is only active if you have permission to read settings.
A "token" is the access key Sapera issues when a user logs in. It determines how long the user stays logged in, and how often access is renewed automatically. Here you can adjust these periods for the group:
Access token valid for minutes: How long a user's active session is valid before it must be renewed. Specified as a whole number of minutes and cannot be set lower than the system's minimum.
Automatic refresh token valid for minutes: How long access can be renewed automatically without the user having to log in again. Must be at least as long as the access token period.
Number of days a user can be inactive before the account is locked: How many days a user may go without activity before the account is locked. This field is only shown for the system group All and is specified as a whole number of days greater than zero.
Brute force defense: A checkbox that enables protection against repeated login attempts. It is recommended to leave this enabled for security reasons.
Click OK to save the settings.
Groups are defined here under Financial and Security and Groups. On the Permissions tab, specific content and function permissions are linked to the group, and on the Members per OU tab, users (and possibly other groups) are linked to the group as members.
The permissions are used throughout Sapera: every time a user opens a screen or attempts an action, access is decided based on the sum of permissions from the groups the user is a member of — including inherited permissions from groups that the user's groups are themselves members of. The token periods control how long the user's login remains valid. In this way, the groups are the overall hub for who has access to what in the system.
Want to know more?
Read more in these related articles:
Users
Create and manage users in Sapera: the user list with filters and columns, all actions in the toolbar, field-by-field editing, tabs with access and permission management, change password and two-factor authentication.
Login security
This article explains how to manage login security and IP access in Sapera
Activity log
Activity log
