Creating Staff Users and Assigning Permission Profiles

Local Admins have overall responsibility for creating, updating, and maintaining all staff accounts for their system except for CatCoord, Cat1, and LocalAdmin accounts. CatCoord, Cat1, and LocalAdmin accounts may only be created and updated by PINES staff at the request of the library system's director. CatCoord and Cat1 accounts require specialized training by the PINES Cataloging Specialist before being created.

The PINES/GPLS staff require the use of personalized Evergreen accounts for logging into Evergreen to perform staff functions. This eases troubleshooting, allows library staff to audit particular staff members' actions, and provides a more secure and accountable system. Use of generic staff logins (e.g., “WGRL-HQ-Circ1” and the like) is not permissible, unless a library uses the Evergreen self-check interface and prefers a separate login for those machines. In this case, an alert must be put on the account explaining the use for the account. Generic accounts are allowed for internal purposes such as ILL, book clubs, and storytimes only if they are designated the StaffNoPerm permission group. This allows the accounts to have staff borrowing privileges, without the ability to log in to the staff client.

It is important to remind library staff members that their personal library cards and their staff accounts are one and the same. Some staff users have gotten confused when they change their password via the OPAC and are then unable to login to the staff client, for instance.

Hierarchical Permission Structure

Evergreen employs a hierarchical permissions structure in which “child” groups inherit permissions settings from “parent” groups. The basic group is “User”, which contains all Evergreen users. Above the “User” level are subcategories, including “Staff,” which contains a set of permissions that is inherited by all “Staff” group members. “Staff” is subdivided into “Administrator,” “Cataloger,” and “Circulator,” and each of these levels may also contain permissions that are inherited by their subgroup members. In the case of the “Administrator” group, a base set of administrative permissions is granted to the “GlobalAdmin,” “LocalAdmin,” and “LibraryManager” permissions groups, which are then assigned to individual users. See the diagram below for a visual representation of this structure.

Assigning a permissions group to a user grants them all of the permissions in the tree. This means that a LibraryManager assignment equates to granting all permissions in User + Staff + Administrator + LibraryManager, inclusive.

Permissions Scopes

Evergreen permissions are “scoped,” meaning that “boundaries” are set to limit staff actions to a single system or branch. In PINES, there are three scopes:

Consortium: the permission applies to the staff member at any location in PINES.
System: the permission applies to any location within the library system at which the staff member works.
Branch: the permission applies to the individual library at which the staff member works.

Adding Custom Permissions

Staff users are assigned a set of permissions and, for the Administrator class of users, some of those permissions are grantable. A grantable permission is one that an administrative user can grant individually to a single user. This is done in the Administration > User Permission Editor interface by entering the user's library card barcode and adding checkboxes beside the appropriate permissions. The User Permission Editor can also be accessed through a user's account through Other > User Permission Editor.

Though LocalAdmins have the ability to grant permissions, PINES/GPLS staff recommend caution when doing so, as customized permissions may cause problems down the line. For example, if a staff member changes employment positions at a library, their permissions profile group may change, but any custom permissions will continue to be assigned unless manually removed by the LocalAdmin. It would be beneficial to keep a record of such individualized changes.

Locally assigned permissions override permissions “inherited” through the hierarchy. For example, if the Circ2 profile has VIEW_USER assigned at the Consortium scope, and you assign that same permission to a specific Circ2 at the Branch scope, that staff member will be limited to viewing/accessing user accounts at their branch.

Permissions assigned at the permissions profile group level are not able to be removed on a per-user basis. LocalAdmins must assign a profile with fewer permissions to decrease the permissions level of a user.

Context Matters: Working Location and Workstation

Working Location

Evergreen permissions rely on the user's “working location.” Working locations are assigned through the User Permission Editor:

1) Go to Administration > User Permission Editor from the staff home page.

2) Input the staff member's barcode in the Patron Barcode field and click Submit.

3) Check the box next to the branch or branches the staff member works.

4) Click Save. (Note that you will need to scroll down to the bottom of the screen to access the Save button.)

You can also access the User Permission editor for a specific account by opening the staff member's account, clicking Other, and choosing User Permission Editor from the dropdown.

For staff who perform work at more than one location, each relevant location must be selected. For example, if a staff member who is assigned Circ1 permissions works at three different branches within the system, each branch should be selected as a working location.

If a working location is not set, staff will see white screens upon logging in.

Workstation

The other context Evergreen uses is the workstation location. See Registering a New Workstation for more information.

Personal Device Policy

If an employee needs to use a personal device to access the PINES staff client or PINES data, see:

PINES Personal Device Policy

PINES Documentation

Table of Contents