I’ve sent in a couple feature requests to the Shotgun Roadmap on this subject and I’d like to share my submissions here for more community involvement / evolution of the ideas:
Permissions Management: CSV Import / Export
Difficulty - Considered easy, but possibly difficult depending on architecture.
Importance - Medium, Convenience
Impact - Administration only
The tedium involved with setting permissions and re-defining the permissions for multiple levels simultaneously is incredibly laborious.
If we (as administrators) have the ability to:
Export the permissions of our current shotgun instance to a CSV file
Edit them together on a spreadsheet and then
Re-import them back into Shotgun to apply the changes
This could allow us to:
Maintain many Role permissions simultaneously
Version control the Permissions changes (with reasoning behind why a change was made)
Have a reference document we could distribute in case we ever get the question from an individual: “What am I allowed to do in Shotgun?”
Permissions Management: Tiered Permission Relationships
Difficulty - Hard
Importance - High, Quality of Life
Impact - All Management ‘tiers’
Shotguns’ default Permission-HumanUser page has only 3 preset templates to choose from.
Admin - Manager - Artist
None of these Roles have any relationships between them, and there is a seemingly arbitrary set of access rules and permissions applied to each template.
It is my understanding that these rules and conditions are dictated by Shotgun Support as a guideline and the recommendation has been to grant most users a very lenient and high level of permission across the studio. - We have 300+ individuals.
Focusing on Education about what you “should” or “should not” do is a utopian concept and (in my experience) an exercise in futility. Trusting people to be self-disciplined and restrained to only touch the things which apply to them on a day-to-day basis is unrealistic.
I suggest a way of organizing Roles and creating a Tiered permissions system.
We have designs for 3+ different tracks of permission Roles to apply to HumanUsers at the studio with Administrators at the highest level.
— Roles —
- Administrator (Head of IT / Head of Pipeline)
Technical Support (IT / Jr.Admin)
Technical Director (Pipeline)
Technical Artist (Jr.Pipeline / Artist)
Senior Manager (Executives / Studio-wide Management)
Manager (Show Producers)
— Description —
Based on the roles defined above, I would like the ability to link hierarchy such as:
2 > 3 > 4
5 > 6 > 7 > 8 > 9 > 10
1 - Isolated
(1 >) 2 > 3 > 4
(… 3 >) 5 > 6 > 7
(… 5 >) 6 > 8 > 9 > 10
These relationship links would allow for permissions to propagate for setting upstream and un-setting downstream.
Example: Setting Upstream
If the permission to “Create Asset” was set in level 7, it would apply upstream and grant the ability to “Create Asset” for roles 6 and 5 respectively.
Example: Un-setting Downstream
If the permission to “Create Asset” was removed from level 9, it would also be removed from level 10.
— Noteworthy Case Studies —
Missed Permission: Administrators regularly have issues where a permission is removed from a mid-level Role due to some incident - only to discover months later that a “lower” tier still has the permission to do that thing.
Self-management: As the Manager (6) of a show/department, I want to “promote” one of my Artists (10) to a Lead (9)
Currently: I am required to make a request to IT / Pipeline to make the permission change.
Under a tiered system, it might be possible to upgrade that Artist (10) to a maximum role permission ranking of Supervisor (8) or Coordinator (7)
Exception: Admin/Owner - Should be able to designate additional Admins.
As an Administrator, I would like to enable a certain degree of control for elevation of permissions of a Track’s dependencies - Allowing a Department supervisor to designate their own Leads.
Problem: With the way it is now, if any individual has the ability to 1-See, 2-Edit a “HumanUser” permission level - They also have the ability to elevate their own user Role to “Administrator” and bypass all permissions restrictions.
Solution: Under a tiered system, a HumanUser would not be able to elevate themselves “higher” than their current level, and they would not be able to Create or Promote another HumanUser beyond their current tier.
Problem: We recently had a “Lead” alter the design of the “Playlist” details page in a way which actually locked out and restricted access to anyone other than “Lead” level. - Administrators were unable to see / design / edit the page.
Just a few thoughts on the subject