Roles and Permissions: Difference between revisions
| Line 9: | Line 9: | ||
| !scope="row" colspan="2"| ||!scope="row" colspan="4"|Global roles||!scope="row" colspan="4"|Project roles | !scope="row" colspan="2"| ||!scope="row" colspan="4"|Global roles||!scope="row" colspan="4"|Project roles | ||
| |- | |- | ||
| !Permission||Allowed operations||(Global) Administrator||ModelCreator||Evaluator ([[User_Roles_and_Permissions_in_QPR_ProcessAnalyzer#Additional_Restrictions_for_Evaluator_Role|*]])||RunScripts | !Permission||Allowed operations||(Global) Administrator||ModelCreator||Evaluator ([[User_Roles_and_Permissions_in_QPR_ProcessAnalyzer#Additional_Restrictions_for_Evaluator_Role|*]])||RunScripts||Administrator||Analyzer||Designer||Viewer | ||
| |- | |- | ||
| ||GenericRead|| | ||GenericRead|| | ||
| Line 15: | Line 15: | ||
| * Open analyses for models | * Open analyses for models | ||
| * See own private filters, all published filters and the model default filter (not possible to create new filters) | * See own private filters, all published filters and the model default filter (not possible to create new filters) | ||
| ||[[File:Tick.gif|center]]|| || || || || || || | ||[[File:Tick.gif|center]]|| || || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]] | ||
| |- | |- | ||
| ||GenericWrite|| | ||GenericWrite|| | ||
| Line 21: | Line 21: | ||
| * Create and modify filters for model | * Create and modify filters for model | ||
| * Import new data to models | * Import new data to models | ||
| ||[[File:Tick.gif|center]]|| || || || || || || | ||[[File:Tick.gif|center]]|| || || ||[[File:Tick.gif|center]]|| ||[[File:Tick.gif|center]]|| | ||
| |- | |- | ||
| ||Filtering|| | ||Filtering|| | ||
| Line 27: | Line 27: | ||
| * Modify and delete own filters | * Modify and delete own filters | ||
| * Publish filters (not set model default filter) (published filters are still user's own, so other users cannot edit them even though they can see them) | * Publish filters (not set model default filter) (published filters are still user's own, so other users cannot edit them even though they can see them) | ||
| ||[[File:Tick.gif|center]]|| || || || || || || | ||[[File:Tick.gif|center]]|| || || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|| || | ||
| |- | |- | ||
| ||CreateModel|| | ||CreateModel|| | ||
| * Create projects. When a project is created, the creator gets project Administrator role for the project (givin full permissions to the project) | * Create projects. When a project is created, the creator gets project Administrator role for the project (givin full permissions to the project) | ||
| ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|| || || || || | ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|| ||[[File:Tick.gif|center]]|| || || | ||
| |- | |- | ||
| ||DeleteModel|| | ||DeleteModel|| | ||
| * Delete models and datatables | * Delete models and datatables | ||
| ||[[File:Tick.gif|center]]|| || || || || || || | ||[[File:Tick.gif|center]]|| || || ||[[File:Tick.gif|center]]|| ||[[File:Tick.gif|center]]|| | ||
| |- | |- | ||
| ||ManageViews|| | ||ManageViews|| | ||
| * Administrate filters | * Administrate filters | ||
| * View all filters in a model (also other users' private filters) | * View all filters in a model (also other users' private filters) | ||
| ||[[File:Tick.gif|center]]|| || || || || || || | ||[[File:Tick.gif|center]]|| || || ||[[File:Tick.gif|center]]|| || || | ||
| |- | |- | ||
| ||ManageProject|| | ||ManageProject|| | ||
| * Modify project information (name and description) | * Modify project information (name and description) | ||
| ||[[File:Tick.gif|center]]|| || || || || || || | ||[[File:Tick.gif|center]]|| || || ||[[File:Tick.gif|center]]|| || || | ||
| |- | |- | ||
| ||ManageIntegrations|| | ||ManageIntegrations|| | ||
| * View and manage data tables | * View and manage data tables | ||
| ||[[File:Tick.gif|center]]|| || || || || || || | ||[[File:Tick.gif|center]]|| || || ||[[File:Tick.gif|center]]|| || || | ||
| |- | |- | ||
| ||ManageReports|| | ||ManageReports|| | ||
| |||| || || || || || || | |||| || || ||[[File:Tick.gif|center]]|| || || | ||
| |- | |- | ||
| ||ManageOperations|| | ||ManageOperations|| | ||
| * Access [[Operation Log]] and terminate operations in progress | * Access [[Operation Log]] and terminate operations in progress | ||
| ||[[File:Tick.gif|center]]|| || || || || || || | ||[[File:Tick.gif|center]]|| || || ||[[File:Tick.gif|center]]|| || || | ||
| |- | |- | ||
| ||ManageUsers|| | ||ManageUsers|| | ||
| * Administrate users, e.g. create new users | * Administrate users, e.g. create new users | ||
| ||[[File:Tick.gif|center]]|| || || || || || || | ||[[File:Tick.gif|center]]|| || || ||[[File:Tick.gif|center]]|| || || | ||
| |- | |- | ||
| ||RunScripts|| | ||RunScripts|| | ||
| Line 66: | Line 66: | ||
| || | || | ||
| || | || | ||
| ||[[File:Tick.gif|center]] || || || || | ||[[File:Tick.gif|center]] ||[[File:Tick.gif|center]]|| || || | ||
| |- | |- | ||
| ||ManageScripts|| | ||ManageScripts|| | ||
| * Create, modify and delete scripts | * Create, modify and delete scripts | ||
| ||[[File:Tick.gif|center]] | ||[[File:Tick.gif|center]] | ||
| || || || || || || || | || || || ||[[File:Tick.gif|center]]|| || || | ||
| |} | |} | ||
Revision as of 13:55, 18 October 2018
QPR ProcessAnalyzer has a role-based access control, where all operations require appropriate rights in order to be executable. rights are given to users and user groups by assigning users or groups to roles, where roles are a collection of permissions. Permissions are fixed in QPR ProcessAnalyzer and there is a fixed list of operations behind a permission what user can do. Roles can be bound either to projects or be global, which means that that role (and its permissions) is applicable for all the contents in the system. Users belonging to a user group, have always all the roles assigned to that user group.
Global Roles
Global roles concern the whole QPR ProcessAnalyzer system and they are not bound to any specific projects or models. When using the Manage Users dialog, global roles can be assigned when <All> is selected from the project list.
By default, QPR ProcessAnalyzer database contains the global roles that are shown as columns in the following tables. The roles have been mapped to certain permissions that are describled in the following table.
| Global roles | Project roles | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Permission | Allowed operations | (Global) Administrator | ModelCreator | Evaluator (*) | RunScripts | Administrator | Analyzer | Designer | Viewer | 
| GenericRead | 
 | ||||||||
| GenericWrite | 
 | ||||||||
| Filtering | 
 | ||||||||
| CreateModel | 
 | ||||||||
| DeleteModel | 
 | ||||||||
| ManageViews | 
 | ||||||||
| ManageProject | 
 | ||||||||
| ManageIntegrations | 
 | ||||||||
| ManageReports | |||||||||
| ManageOperations | 
 | ||||||||
| ManageUsers | 
 | ||||||||
| RunScripts | 
 | ||||||||
| ManageScripts | 
 | ||||||||
- Evaluator and ModelCreator get the project level Administrator role for the projects that they create. They can delete models in the projects where they are administrators.
- Models created by an Evaluator inherit the restrictions the current user has. These restrictions are in effect for all the imports targeting that model, no matter who is doing the import.
- Users with global level Administrator or ModelCreator role can always import new data into any model without restrictions. Note, however, that a user cannot import more data than what is allowed by the product activation limits.
Project Roles
Project roles are set to a certain project to which user rights are affected. By default, QPR ProcessAnalyzer database contains the roles that are shown as columns in the following tables. The roles have been mapped to certain permissions that are describled in the following table.
| (Project) Administrator | Analyzer | Designer | Viewer | |
|---|---|---|---|---|
| CreateModel | ||||
| DeleteModel | ||||
| Filtering | ||||
| GenericRead | ||||
| GenericWrite | ||||
| ManageIntegrations | ||||
| ManageOperations | ||||
| ManageProject | ||||
| ManageReports | ||||
| ManageScripts | ||||
| ManageUsers | ||||
| ManageViews | ||||
| RunScripts | 
Group Roles
| Administrator (Group) | Member | Hidden Member | |
|---|---|---|---|
| Add/Remove Group Members | |||
| Create Users to Group | |||
| Add/Remove Project Access Rights of a User | |||
| Open Model Accessible to Group Members | |||
| See Unhidden Group Members | |||
| See Hidden Group Members | 
If a group member is a project level Administrator, the user can add and remove project specific access rights for the group or for any individual member of the project.
Additional Restrictions for Evaluator Role
Evaluator has the following additional restrictions:
- Maximum number of models: 10
- Maximum number of event in a model: 1000
- Maximum number of event attributes in a model: 1000
- Maximum number of case attributes in a model: 1000
- Maximum number of data tables: 10
- Maximum number of rows in an data table: 1000
- Maximum number of columns in an data table: 1000
Model Permissions
Creation
New model can be created only by users having global CreateModel permission. When creating a new model, model size restrictions are copied from user and stored to the Model, e.g. maximum number of events, case attributes and event attributes. This is done in order to prevent global Evaluator users from creating a project administrator user (after creating an user group) and using that to import more data into the model created by the Evaluator user than is allowed by Evaluator user's role.
Importing new data
User may never import more data than is allowed by product's activation. Model specific data quotas are ignored for users that have unrestricted global CreateModel permission. Users that have restricted global CreateModel permission (e.g., global evaluators) or users that don't have any global CreateModel permission may only import the amount of data into a model specified in model's own restrictions.
Script Permissions
For viewing script definitions and running scripts, global RunScripts permission is needed. All scripts linked to the current context are available provided that the current user has permission to see the scripts in the context. The required permissions by context are:
- System context: No additional requirements.
- Project context: GenericRead permission for the project.
- Model context: GenericRead permission for the project of the model.
- User context: If the script is linked to current user, then no additional requirements. If the script is linked to a group the current user belongs to, no additional requirements. If the script is linked to other users or user groups, global ManageScripts permission is required.
For script creation, modification, deletion and export, the following permissions are needed depending on the script context:
- System context: Global ManageScripts and RunScripts
- Project context: project level ManageScripts and global RunScripts
- Model context: project level ManageScripts and global RunScripts
- User context: Global RunScripts and if the script is linked to a user group the user belongs to, GroupAdministrator user group role is required.
If Hide Script Details is set for the script, only users with modify permissions for the script can see the script code and log.
Data table Permissions
Viewing
To view data tables ManageIntegrations and GenericRead permissions are needed.
Creating
Creating data tables requires global CreateModel permission. When creating a new data table, data table size restrictions (maximum number of rows and columns allowed by user's roles) are copied from current user and stored for the data table. This is done in order to prevent global Evaluator user from creating a project administrator user (after creating an user group) and using that to import more data into the data table created by the evaluator user than is allowed by evaluator user's role.
Importing data
Data can be imported into a data table with project GenericWrite and ManageIntegrations permissions. CreateModel permission is required if the user is overwriting existing data in the data table, i.e. not not appending. User may never import more data than is allowed by product's activation. Data table specific data quotas are ignored for users that have unrestricted global CreateModel permission. Users that have restricted global CreateModel permission or users that don't have any global CreateModel permission may only import the amount of data into a data table specified in data table's own restrictions.
Miscellaneous Operations Permissions
- Create a new model and project: Global CreateModel permission. Administrator role is given for the user into the created project (and thus also model).
- Add a model into project: CreateModel permission for the target project. Model is moved into target project and all old permissions are replaced by the permissions for the target project.
- Create a new model into existing project: Global CreateModel and CreateModel permission for the target project.
- Move a model from a project to another: GenericWrite and DeleteModel permissions for the source project and CreateModel permission for the target project.
- Making modifications to a project object (renaming, deleting, restoring, changing description): ManageProject and GenericRead permissions for the project.
- Moving a project into recycle bin: DeleteModel and ManageProject permissions for the project.
- Restoring a project from recycle bin: Global GenericRead, CreateModel and ManageProject permissions.
- Deleting a project from the database: Global DeleteModel permission and ManageProject permission for the project.
- Creating a copy of a project: Global CreateModel permission and GenericRead and ManageProject permissions for the project.
