Overview of User Roles and Group Permissions in ScreenSteps

Understanding how user roles and group permissions have changed between Legacy version and New version of ScreenSteps is essential for migrating to the new permissions without accidentally granting users more access and responsibilities within ScreenSteps. The platform has undergone significant changes in how it structures user types and group permissions, which can impact users who belong to groups within ScreenSTeps.

Key Terms

Familiarity with the following terms will help in understanding the differences between Legacy and New ScreenSteps:

• Admin / Account Admin: Users with the highest level of control and access.
• Contributor: Users who can edit, publish, or manage content (only in Legacy ScreenSteps).
• Reader: Users who can only view content (only in Legacy ScreenSteps).
• Site User: The general user role in the New ScreenSteps system.
• Group: A collection of users who share certain permissions.
• Permission Escalation: When a user gains more access than intended, often due to changes in permission structures.

Legacy ScreenSteps: Role-Based Group Permissions

In Legacy ScreenSteps, there were three main user types: Admin, Contributor, and Reader. Groups in this system were polymorphic, meaning a single group could contain both Readers and Contributors. Permissions were evaluated based on each user's role within the group:

This design allowed for "mixed-role groups," where different users in the same group had different levels of access. Importantly, being in a group with contributor permissions did not grant a Reader contributor abilities.

New ScreenSteps: Structural Shift in Permissions

The New ScreenSteps system introduces a structural change in how permissions are assigned and inherited:

• There are now two main user types: Account Admin and Site User.
• Permissions are assigned directly to users and inherited from groups.
• Within a group, permissions are not differentiated by user role—every site user in the group receives the same permissions.

This means there is no longer a concept of "This group allows contributing, but only for contributors." All users in a group inherit the group's permissions equally.

Why It Matters: Risks During Migration

When migrating from Legacy to New ScreenSteps, there is a risk of permission escalation. In Legacy, a group could have both contributors and readers, but only contributors could edit content. In the New system, if a group had contributor-level permissions and contained both types, all users—including former readers—would inherit contributor permissions and be able to edit content.

• All users in a migrated group become site users.
• All inherit the group's contributor permissions, regardless of previous role.
• This can unintentionally allow former readers to edit content.
• Understanding these changes is critical to prevent unwanted permission escalation.
• Careful review of group memberships and permissions is necessary during migration.