Disabling the Everyone User Group

Overview

In certain scenarios, the Everyone group might not be wanted. This is the case for a Virtual Operations Center (VOC) use case, but also can also be the case if using Windows Auth and managing all user groups and memberships in Active Directory. This knowledge-base article describes how to disable the Everyone user group for those use cases.

Configuration

In the Seeq administration, it’s possible to disable the Everyone user group just like any other user group:

When disabling the Everyone user group, it’s also possible to remove any permissions for the group:

Removing the permissions for the Everyone group is not strictly necessary, but will avoid access control entries for the Everyone user group showing up in access control lists. Disabled groups will appear with a yellow warning triangle in access control entries like the following screenshot:

When disabling the Everyone user group, access control for data sources will have to be handled manually by a Seeq administrator, which is not the case when the Everyone groups is enabled. When the Everyone group is enabled, all data sources will by default be readable by the Everyone user group, but when it’s disabled only the creator of the datasource will have permissions to it by default.

Recommended Workflow

The following are the recommended steps to disabling the Everyone user group.

1. Create top level user groups, either in Seeq or in Active Directory if Windows authentication is used for logging into Seeq. If groups are created in an external datasource, wait for it to sync before continuing to the next step.

2. Update access control settings for existing datasources, so the necessary groups have access to the datasources they need. This can be done on the Datasource tab of the administration panel.

3. Optional: Update group ACLs to allow different groups and users in those groups to see each other. This is only needed if there’s a need to share workbooks across groups which don’t have access to each other.

4. Disable the Everyone group in the Seeq group administration tab

5. Test the settings by logging in as various (non-admin) users, making sure users can access necessary datasources and groups/users. 

6. If you’re not satisfied with the changes, you can either fix the ACLs on datasources and/or groups, or re-enable the Everyone group to “revert”, for example if changes need to be made in Active Directory and those have to sync to Seeq before continuing the setup.

7. Optional: When satisfied with the changes, edit the Everyone group, click “Remove permissions” to remove permissions for the Everyone group from all items.