Roles and Permissions: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
 
(305 intermediate revisions by 2 users not shown)
Line 1: Line 1:
QPR ProcessAnalyzer has a role-based access control, where all operations require appropriate rights in order to be executable. rights are given to '''users''' and '''user groups''' by assigning users or groups to '''roles''', where roles are a collection of '''permissions'''. Permissions are fixed in QPR ProcessAnalyzer and there is a fixed list of operations behind a permission what user can do. Roles can be bound either to '''projects''' or be '''global''', which means that that role (and its permissions) is applicable for all the contents in the system. Users belonging to a user group, have always all the roles assigned to that user group.
QPR ProcessAnalyzer has a role-based access control, where all operations require appropriate rights in order to be executable. Rights are given to ''users'' and ''groups''' by assigning ''roles'' to them. Roles are a collection of ''permissions''. Permissions are fixed in QPR ProcessAnalyzer allowing certain operations to be done. Some roles are ''project roles'' meaning that role (and its permissions) is applicable only for that project. Roles can also be ''global'' which gives rights to all projects in the system. Users belonging to a group, have all the roles assigned to that group.


== Global Roles ==
== Roles and Permissions ==
'''Global roles''' concern the whole QPR ProcessAnalyzer system and they are not bound to any specific projects or models. When using the [[Manage Users in QPR ProcessAnalyzer Excel Client|Manage Users]] dialog, global roles can be assigned when '''<All>''' is selected from the project list.
By default, QPR ProcessAnalyzer system contains roles that are shown in the following table (roles are as columns). The roles have been mapped to certain ''permissions'' that are also shown in the following table (permissions are as rows).
 
By default, QPR ProcessAnalyzer database contains the global roles that are shown as columns in the following tables. The roles have been mapped to certain permissions that are describled in the following table.


{| style="color:black; cellpadding="10" class="wikitable"
{| style="color:black; cellpadding="10" class="wikitable"
!||(Global)&nbsp;Administrator||ModelCreator||Evaluator||RunScripts
!scope="row" colspan="2"| ||!scope="row" colspan="3"|Global roles||!scope="row" colspan="4"|Project roles
|-
|-
||GenericRead||[[File:Tick.gif|center]]|| || ||
!Permission||Allowed operations||Administrator||Create models||SQL Scripting||Administrator||Designer||Analyzer||Viewer
|-
|-
||GenericWrite||[[File:Tick.gif|center]]|| || ||
||'''View dashboards'''<br>(GenericRead)||
* View project's and model's information (name, description, configuration etc.)
* List datatables and view their contents
* Open dashboards (queries made by the dashboards are still restricted by the permissions)
* Run analyses for model and view the analysis results
* See own private filters, all published filters and the model default filter (not allowed to create/modify/delete filters)
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]
|-
|-
||DeleteModel||[[File:Tick.gif|center]]|| || ||
||'''Save filters'''<br>(Filtering)||
* Create, modify and delete own filters (private and public, but not model default)
* Publish own private filters for other users (but not set the model default filter). Published filters are still user's own, so other users cannot modify them.
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||
|-
|-
||CreateModel||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||
||'''Design dashboards'''<br>(EditDashboards)||
* Create, modify and delete dashboards in the project.
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||
|-
|-
||ResetDatabase||[[File:Tick.gif|center]]|| || ||
||'''Import data'''<br>(GenericWrite)||
* Import data to datatables, modify/remove rows in datatable, add/modify/remove columns in datatable
* Create, edit, delete design diagrams
* Edit model settings (but not possible to create or delete models)
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||||
|-
|-
||Filtering||[[File:Tick.gif|center]]|| || ||
||'''Manage filters'''<br>(ManageViews)||
* View, create, modify and delete all filters in the model (also other users' private filters).
* Set the model default filter.
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]|| || ||
|-
|-
||ManageUsers||[[File:Tick.gif|center]]|| || ||
||'''Manage project'''<br>(ManageProject)||
* Modify project information, such as name and description.
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]|| || ||
|-
|-
||ManageOperations||[[File:Tick.gif|center]]|| || ||
||'''Delete models'''<br>(DeleteModel)||
As a project specific permission:
* Moving model to recycle bin (soft deleting)
* Delete datatables (for datatables deletion is always permanent)
As a global permission:
* Permanently deleting models and projects (remove from the recycle bin)
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]|| || ||
|-
|-
||ManageViews||[[File:Tick.gif|center]]|| || ||
||'''Manage scrips'''<br>(ManageScripts)||
* Create, modify and delete scripts in the project.
||[[File:Tick.gif|center]]
|| || ||[[File:Tick.gif|center]]|| || ||
|-
|-
||ManageReports||[[File:Tick.gif|center]]|| || ||
||'''Manage&nbsp;operations'''<br>(ManageOperations)||
* View the [[QPR_ProcessAnalyzer_Logs#Task_Log|Task log]]
* Terminate in progress tasks run by any user
||[[File:Tick.gif|center]]|| || || || || ||
|-
|-
||ManageIdeas||[[File:Tick.gif|center]]|| || ||
||'''Manage users'''<br>(ManageUsers)||
* Manage users, groups, roles and permissions. Also changing any user password is possible. Note that with this permission, user can assign any permissions to itself.
||[[File:Tick.gif|center]]|| || || || || ||
|-
|-
||ManageProject||[[File:Tick.gif|center]]|| || ||
||'''Create model'''<br>(CreateModel)||
* Create projects, models and datatables. When a project is created, the user gets project Administrator role for the project (giving full permissions to the project).
||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||||||||||
|-
|-
||ManageIntegrations||[[File:Tick.gif|center]]|| || ||
||'''SQL scripting'''<br>(RunScripts)||
|-
* Run SQL scripts in sandbox.
||RunScripts||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]
|||| ||[[File:Tick.gif|center]]|||| || ||
|-
||ManageScripts||[[File:Tick.gif|center]]|| || ||
|}
|}


Examples of operations, that different roles can perform.
== User Management Concepts ==


{| style="color:black; cellpadding="10" class="wikitable"
[[File:User management schema.png|right|800px]]
!||(Global)&nbsp;Administrator||Model&nbsp;Creator||Evaluator||Run&nbsp;Script
|-
|Create Project  ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||
|-
|View Project  ||[[File:Tick.gif|center]]|| || ||
|-
|Edit Project  ||[[File:Tick.gif|center]]|| || ||
|-
|Permanently Delete Project  ||[[File:Tick.gif|center]]|| || ||
|-
|Create Model  ||<center>Unlimited</center>||<center>Unlimited</center>||<center>Max. 10 models</center>||
|-
|View Model ||[[File:Tick.gif|center]]|| || ||
|-
|Import Data into Model ||<center>Unlimited</center>||<center>Unlimited</center>||<center>Max. 10 models with max. 1000 events,<br/>300 event attributes and case attributes each</center>||
|-
|Create Filters / Analyze Model ||[[File:Tick.gif|center]]|| || ||
|-
|Permanently Delete Model ||[[File:Tick.gif|center]]|| || ||
|-
|Create Data Table  ||<center>Unlimited</center>||<center>Unlimited</center>||<center>Max. 10 data tables</center>||
|-
|View Data Table ||[[File:Tick.gif|center]]|| || ||
|-
|Import Data into Data Table  ||<center>Unlimited</center>||<center>Unlimited</center>||<center>Max. 10 imported data tables with<br/>max. 1000 rows and 300 columns each</center>||
|-
|Delete Data Table ||[[File:Tick.gif|center]]|| || ||
|-
|Access Operation Log ||[[File:Tick.gif|center]]|| || ||
|-
|Run Scripts || || || ||[[File:Tick.gif|center]]
|}


Evaluator has the following additional restrictions:
User management in QPR ProcessAnalyzer is based on the following concepts (which are also illustrated in the diagram on the right):
* Maximum number of models: 10
* '''User''': Each person using the system should have an own user account. When a successful authentication has been made a ''session'' is created for a certain user. In addition to groups, roles can be assigned directly to users.
* Maximum number of event in a model: 1000
* '''Group''': Group contain selected roles and also selected users are assigned to the group, giving the roles to those users. Groups make managing users easier.
* Maximum number of event attributes in a model: 1000
* '''Role''': Role contains specific permissions and thus giving certain kind of rights in the system. There are commonly used roles available in QPR ProcessAnalyzer, and additionally new roles can be created for customized use cases. Roles can be divided into two types:
* Maximum number of case attributes in a model: 1000
** '''Global role''' are used to give rights in the entire QPR ProcessAnalyzer system.
* Maximum number of created integration tables: 10
** '''Project role''' are used to give rights in a certain project. When assigning projects roles, the project is also defined.
* Maximun number of rows in created integration table: 1000
* '''Permission''': Permission defines what user can do (e.g. read, create, modify, delete) to certain kinds of objects. Permissions are fixes in the system, i.e. new permissions cannot be added by users.
* Maximun number of columns in created integration table: 1000


* '''Evaluator''' and '''Model Creator''' get the '''Project administrator''' role for the projects that they create (see User Roles and Rights for Individual Projects below). They can delete models in the created projects only.
The diagram also includes term ''role assignment'' which links one user/group (either of those), one project, and one role together.
* Models created by an Evaluator inherit the restrictions the current user has. These restrictions are in effect for all the imports targeting that model, no matter who is doing the import.
* Users with '''Global Administrator''' or '''Model Creator''' role can always import new data into any model without restrictions. Note, however, that a user cannot import more data than what is allowed by [[Activating QPR ProcessAnalyzer|the product activation limits]].


== Project Roles ==
(In the diagram, ''0..N'' means that an entity is linked to none, one or several other entities, ''1..N'' means that an entity is linked one or several other entities, and ''1'' means that the linkage is always to a single entity.)


By default, QPR ProcessAnalyzer database contains the roles that are shown as columns in the following tables. The roles have been mapped to certain permissions that are describled in the following table.
== Dashboard Permissions ==
* View dashboard: '''EditDashboards''' for the project.
* Create dashboard: '''EditDashboards''' for the project.
* Edit dashboard: '''EditDashboards''' for the project.
* Move dashboard: '''EditDashboards''' for the original project and for the target project.
* Delete dashboard (permanently): '''EditDashboards''' for the project.


{| style="color:black; cellpadding="10" class="wikitable"
== Model Permissions ==
!||(Project)&nbsp;Administrator||Analyzer||Designer||Viewer
* View model: '''GenericRead''' for the project.
|-
* Create model: '''GenericRead''' and '''GenericWrite''' for the project and global '''CreateModel'''.
||CreateModel||[[File:Tick.gif|center]]||||[[File:Tick.gif|center]]||
* Import model from pacm file: '''GenericRead''', '''GenericWrite''' and '''ManageViews''' for the project and global '''CreateModel'''.
|-
* Change model properties (e.g. name): '''GenericRead''' and '''GenericWrite''' for the project.
||DeleteModel||[[File:Tick.gif|center]]|| || ||
* Move model: '''GenericRead''' and '''DeleteModel''' for the source project, and '''GenericRead''' and '''GenericWrite''' for the target project.
|-
* Delete model (to bin): '''GenericRead''' and '''DeleteModel''' for the project.
||Filtering||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||
* Delete model (permanently): global '''DeleteModel'''.
|-
* Copy model: '''GenericRead''' and '''GenericWrite''' for the project and global '''CreateModel'''.
||GenericRead||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]
* Initiate model loading: '''GenericRead''' for the project (*).
|-
||GenericWrite||[[File:Tick.gif|center]]||||[[File:Tick.gif|center]]||
|-
||ManageIdeas||[[File:Tick.gif|center]]|| || ||
|-
||ManageIntegrations||[[File:Tick.gif|center]]|| || ||
|-
||ManageOperations||[[File:Tick.gif|center]]|| || ||
|-
||ManageProject||[[File:Tick.gif|center]]|| || ||
|-
||ManageReports||[[File:Tick.gif|center]]|| || ||
|-
||ManageScripts||[[File:Tick.gif|center]]|| || ||
|-
||ManageUsers||[[File:Tick.gif|center]]|| || ||
|-
||ManageViews||[[File:Tick.gif|center]]|| || ||
|-
||RunScripts||[[File:Tick.gif|center]]|| || ||
|-
||SqlImport||[[File:Tick.gif|center]]|| || ||
|}
 
{| style="color:black; cellpadding="10" class="wikitable"
!||(Project)&nbsp;Administrator||Analyzer||Designer||Viewer
|-
|View Project ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]
|-
|Edit Project ||[[File:Tick.gif|center]]|| ||[[File:Tick.gif|center]]||
|-
|Delete Project ||[[File:Tick.gif|center]]|| ||[[File:Tick.gif|center]]||
|-
|View Model ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]
|-
|Edit Model ||[[File:Tick.gif|center]]|| ||[[File:Tick.gif|center]]||
|-
|Create Filters / Analyze Model  ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||
|-
|Import Data into Existing Model ||[[File:Tick.gif|center]]|| ||[[File:Tick.gif|center]]||
|-
|Delete Model ||[[File:Tick.gif|center]]|| ||[[File:Tick.gif|center]]||
|-
|View Data Table ||[[File:Tick.gif|center]]|| || ||
|-
|Import Data into Existing Data Table  ||[[File:Tick.gif|center]]|| || ||
|-
|Delete Data Table ||[[File:Tick.gif|center]]|| || ||
|}
 
== Group Roles ==
{| style="color:black; cellpadding="10" class="wikitable"
!||Administrator (Group)||Member||Hidden Member
|-
|Add/Remove Group Members ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]
|-
|Create Users to Group ||[[File:Tick.gif|center]] || ||
|-
|Add/Remove Project Access Rights of a User ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||
|-
|Open Model Accessible to Group Members ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]
|-
|See Unhidden Group Members ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||
|-
|See Hidden Group Members ||[[File:Tick.gif|center]]|| ||
|}
 
* If a group member is a '''Project Administrator''', he/she can add and remove project specific access rights for the group or for any individual member of the project.
 
== Description of Permissions==
 
* CreateModel: the user can create model(s) / datatable(s).
* DeleteModel: the user can delete model(s) / datatable(s).
* Filtering: the user can apply filters, i.e. create new views.
* GenericRead: the user can open the model.
* GenericWrite: the user can edit the model, e.g. create filters.
* ManageIdeas: the user can administrate the Collaboration Feed.
* ManageIntegrations: the user can make use of integration operations, such as manage Datatables.
* RunScripts: the user can run PA Scripts.
* ManageOperations: the user has access to the Operation Log and can for example terminate selected operations in progress in the QPR ProcessAnalyzer Service.
* ManageProject: the user can administrate Projects.
* ManageReports: the user can administrate Bookmarks.
* ManageUsers: the user can administrate users, e.g. create new users.
* ManageViews: the user can administrate Views.
* SqlImport: the user can import data to the QPR ProcessAnalyzer service.
 
== Filtering Permissions==
A user can view details of a filter for any filters created to a model the user has at least '''GenericRead''' permission. A filter is visible if the user has permissions for the model the filter belongs to and any of the following conditions is true:
* User has '''ManageReports''' or '''ManageViews''' permission for the project the model belongs to (e.g. has Administrator role for project or global)
* User is the creator of the bookmark.
* The publish mode of the bookmark is '''public'''.​​


== ETL Scripting Permissions ==
(*) The model loading might also require other permissions, e.g. access to the datatables or permissions required by the commands in the loading script. Models are not loaded using the permissions of the initiating user, but instead models are loaded in the following security context: '''GenericRead''' and '''GenericWrite''' for the project, global '''RunScripts'''. Models might also be loaded automatically during the server startup and this behavior ensures consistency regardless on how the model was loaded.
For viewing scripts, the Global '''RunScripts''' is needed. All scripts linked to the current context are available to be viewed provided that the current user has permission to see the scripts in the context. The required permissions by context are:
* System context: No additional requirements.
* Project context: '''GenericRead''' permission for the project.
* Model context: '''GenericRead''' permission for the project of the model.
* User context: If the script is linked to current user, then no additional requirements. If the script is linked to a group the current user belongs to, no additional requirements. If the script is linked to other users or user groups, global '''ManageScripts''' permission is required.


If '''Hide Script Details''' is set for the script, only users with modify permissions for the script can see the script code and log.
== Project Permissions ==
* View project: '''GenericRead''' for the project. (There are separate permissions for viewing dashboards/models/datatables/scripts in the project.)
* Create project: global '''CreateModel''', and '''GenericRead''' for the parent project (if creating a child project).
* Change project properties (e.g. name): '''GenericRead''' and '''ManageProject''' for the project.
* Move project: global '''CreateModel''', '''ManageProject''' for the moved project, '''GenericRead''' for the original parent project, and '''GenericRead''' for the target parent project (if target is not root level).
* Delete project (to bin): '''ManageProject''' and '''DeleteModel''' for the project.
* Delete project (permanently): global '''DeleteModel''' and '''ManageProject''' permission for the project.
* Copy project: Global '''CreateModel''' permission, and '''GenericRead''' and '''ManageProject''' for the copied project.


For script creation, modification, deletion and export, the following permissions are needed depending on the script context:
Note: Projects hierarchy doesn't generally affect the permissions, e.g., to see a project, permissions to its parent project are not required.
* System context: Global '''ManageScripts''', Global '''RunScripts'''
* Project context: '''ManageScripts''' for project, Global '''RunScripts'''
* Model context: '''ManageScripts''' for project of the model, Global '''RunScripts'''
* User context: Global '''RunScripts''' and if the script is linked to a user group the user belongs to, GroupAdministrator user group role is required.


For running script the the Global '''RunScripts''' and view permissions are needed
== Datatable Permission ==
 
* List datatables, view datatable properties and data contents: '''GenericRead''' for the project.
== Integration Table Permissions ==
* Create datatable: '''GenericWrite''' for the project and global '''CreateModel'''.
Integration tables are linked to a single project. Permissions for that project are used when determining the permissions for accessing its integration tables. '''ManageIntegrations''' and '''GenericRead''' permission are required in order to be able to see integration tables.
* Change datatable properties, import data to datatable, modify/delete datatable rows, add/modify/delete datatable columns: '''GenericWrite''' for the project.
 
* Move datatable between projects: '''GenericWrite''' and '''DeleteModel''' to source project, '''GenericWrite''' for target project, and global '''CreateModel'''.
'''ManageIntegrations''' and '''GenericWrite''' permission are required in order to be able to create and modify integration tables.  
* Delete datatable (permanently): '''GenericWrite''' and '''DeleteModel''' for the project.
 
It is possible to give quotas for users bound to roles for the following attributes related to integration tables:
* Maximum number of created integration tables
* Maximum number of rows in created integration table
* Maximum number of columns in created integration table
 
== DataTable Permissions ==
=== Creation ===
New data table can be created only by users having global CreateModel permission. When creating a new data table, data table size restrictions (maximum number of rows and columns allowed by user's roles) are copied from current user and stored for the data table. This is done in order to prevent global evaluator user from creating a project administrator user (after creating an user group) and using that to import more data into the data table created by the evaluator user than is allowed by evaluator user's role.
 
===Importing new data ===
New data can be imported into a data table by any user having global or project specific GenericWrite and ManageIntegrations permissions. CreateModel permission is required if the user is not appending to an existing data table (is overwriting already existing data table). User may never import more data than is allowed by product's activation. Data table specific data quotas are ignored for users that have unrestricted global CreateModel permission. Users that have restricted global CreateModel permission (e.g., global evaluators) or users that don't have any global CreateModel permission may only import the amount of data into a data table specified in data table's own restrictions.
 
=== Viewing ===
In order to view created data tables, the following global or project specific permissions are required: ManageIntegrations, GenericRead.
 
== Model Permissions ==
=== Creation ===
New model can be created only by users having global CreateModel access right. When creating a new model, model size restrictions (maximum number of events, case attributes and event attributes allowed by user's roles) are copied from current user and stored for the Model. This is done in order to prevent global evaluator user from creating a project administrator user (after creating an user group) and using that to import more data into the model created by the evaluator user than is allowed by evaluator user's role.


=== Importing new data ===
== Filter Permissions ==
New data can be imported into a model by any user having global or project specific '''GenericWrite''' permission. User may never import more data than is allowed by product's activation. Model specific data quotas are ignored for users that have unrestricted global '''CreateModel''' permission. Users that have restricted global CreateModel permission (e.g., global evaluators) or users that don't have any global CreateModel permission may only import the amount of data into a model specified in model's own restrictions.
* View own private filters, all published filters, and model default filter: '''GenericRead''' for the project.
* View all filters: '''ManageViews''' for the project.
* Create filter: '''Filtering''' for the project.
* Edit own filters: '''Filtering''' for the project.
* Edit all filters: '''ManageViews''' for the project.
* Publish own filters: '''Filtering''' for the project.
* Publish all filters: '''ManageViews''' for the project.
* Delete own filters (permanently): '''Filtering''' for the project.
* Delete any filters (permanently): '''ManageViews''' for the project.
* Set model default filter: '''ManageViews''' for the project.


== Miscellaneous Operations Permissions ==
Note: When a filter is published, the filter still has owner which is applied for the permissions.
* Open analysis for a model: GenericRead permission for the project.
* Create new filter (include only, exclude etc.): Filtering permission for the project.
* Importing new data into an existing model: GenericWrite permission for the project.
* Create a new model and project: Global CreateModel permission. Administrator role is given for the user into the created project (and thus also model).
* Add a model into project: CreateModel permission for the target project. Model is moved into target project and all old permissions are replaced by the permissions for the target project.
* Remove a model from a project: DeleteModel permission for the project from which the model is removed.
* Create a new model into existing project: Global CreateModel and CreateModel permission for the target project.
* Move a model from a project to another: GenericWrite and DeleteModel permissions for the source project and CreateModel permission for the target project.
* Making modifications to a project object (renaming, deleting, restoring, changing description): ManageProject and GenericRead permissions for the project.
* Moving a project into recycle bin: DeleteModel and ManageProject permissions for the project.
* Restoring a project from recycle bin: Global GenericRead, CreateModel and ManageProject permissions.
* Deleting a project from the database: Global DeleteModel permission and ManageProject permission for the project.
* Creating a copy of a project: Global CreateModel permission and GenericRead and ManageProject permissions for the project.
* Creating an integration for a project: CreateModel permission for the project.
* Creating an integration job for an integration: GenericWrite permission for the project.
* Importing integration data into an integration job: GenericWrite permission for the project.
* Querying integrations and integration jobs: GenericRead permission for project the integration belongs to.
* Modifying existing integration or integration job objects: User has created the object and has GenericWrite permission for the project or user has ManageIntegrations permission for the project.
* Deleting existing integration objects: User has created the object and has DeleteModel permission for the project or user has ManageIntegrations permission for the project.
* Deleting existing integration job objects: User has created the object and has GenericWrite permission for the project or user has ManageIntegrations permission for the project.


== See Also ==
== Script Permissions ==
* [[QPR_ProcessAnalyzer_Model_JSON_Settings#Case_Permissions|Case Level Permissions Control]]
* View, call and run expression script: '''GenericRead''' for the project.
* [[Manage Users in QPR ProcessAnalyzer Excel Client]]
* Create, edit and delete expression script: '''ManageScripts''' for the project.
* [[QPR ProcessAnalyzer Use Cases#How to Publish Analysis Results to Others|How to Publish Analysis Results to Others]]
* View, call and run SQL script: global '''RunScripts''' and '''GenericRead''' for the project.
* Create, edit and delete SQL script: global '''RunScripts''' and '''ManageScripts''' for the project.


[[Category: User Rights]]
[[Category: QPR ProcessAnalyzer]]

Latest revision as of 20:55, 24 April 2024

QPR ProcessAnalyzer has a role-based access control, where all operations require appropriate rights in order to be executable. Rights are given to users and groups' by assigning roles to them. Roles are a collection of permissions. Permissions are fixed in QPR ProcessAnalyzer allowing certain operations to be done. Some roles are project roles meaning that role (and its permissions) is applicable only for that project. Roles can also be global which gives rights to all projects in the system. Users belonging to a group, have all the roles assigned to that group.

Roles and Permissions

By default, QPR ProcessAnalyzer system contains roles that are shown in the following table (roles are as columns). The roles have been mapped to certain permissions that are also shown in the following table (permissions are as rows).

Global roles Project roles
Permission Allowed operations Administrator Create models SQL Scripting Administrator Designer Analyzer Viewer
View dashboards
(GenericRead)
  • View project's and model's information (name, description, configuration etc.)
  • List datatables and view their contents
  • Open dashboards (queries made by the dashboards are still restricted by the permissions)
  • Run analyses for model and view the analysis results
  • See own private filters, all published filters and the model default filter (not allowed to create/modify/delete filters)
Tick.gif
Tick.gif
Tick.gif
Tick.gif
Tick.gif
Save filters
(Filtering)
  • Create, modify and delete own filters (private and public, but not model default)
  • Publish own private filters for other users (but not set the model default filter). Published filters are still user's own, so other users cannot modify them.
Tick.gif
Tick.gif
Tick.gif
Tick.gif
Design dashboards
(EditDashboards)
  • Create, modify and delete dashboards in the project.
Tick.gif
Tick.gif
Tick.gif
Tick.gif
Import data
(GenericWrite)
  • Import data to datatables, modify/remove rows in datatable, add/modify/remove columns in datatable
  • Create, edit, delete design diagrams
  • Edit model settings (but not possible to create or delete models)
Tick.gif
Tick.gif
Tick.gif
Manage filters
(ManageViews)
  • View, create, modify and delete all filters in the model (also other users' private filters).
  • Set the model default filter.
Tick.gif
Tick.gif
Manage project
(ManageProject)
  • Modify project information, such as name and description.
Tick.gif
Tick.gif
Delete models
(DeleteModel)

As a project specific permission:

  • Moving model to recycle bin (soft deleting)
  • Delete datatables (for datatables deletion is always permanent)

As a global permission:

  • Permanently deleting models and projects (remove from the recycle bin)
Tick.gif
Tick.gif
Manage scrips
(ManageScripts)
  • Create, modify and delete scripts in the project.
Tick.gif
Tick.gif
Manage operations
(ManageOperations)
  • View the Task log
  • Terminate in progress tasks run by any user
Tick.gif
Manage users
(ManageUsers)
  • Manage users, groups, roles and permissions. Also changing any user password is possible. Note that with this permission, user can assign any permissions to itself.
Tick.gif
Create model
(CreateModel)
  • Create projects, models and datatables. When a project is created, the user gets project Administrator role for the project (giving full permissions to the project).
Tick.gif
Tick.gif
SQL scripting
(RunScripts)
  • Run SQL scripts in sandbox.
Tick.gif

User Management Concepts

User management schema.png

User management in QPR ProcessAnalyzer is based on the following concepts (which are also illustrated in the diagram on the right):

  • User: Each person using the system should have an own user account. When a successful authentication has been made a session is created for a certain user. In addition to groups, roles can be assigned directly to users.
  • Group: Group contain selected roles and also selected users are assigned to the group, giving the roles to those users. Groups make managing users easier.
  • Role: Role contains specific permissions and thus giving certain kind of rights in the system. There are commonly used roles available in QPR ProcessAnalyzer, and additionally new roles can be created for customized use cases. Roles can be divided into two types:
    • Global role are used to give rights in the entire QPR ProcessAnalyzer system.
    • Project role are used to give rights in a certain project. When assigning projects roles, the project is also defined.
  • Permission: Permission defines what user can do (e.g. read, create, modify, delete) to certain kinds of objects. Permissions are fixes in the system, i.e. new permissions cannot be added by users.

The diagram also includes term role assignment which links one user/group (either of those), one project, and one role together.

(In the diagram, 0..N means that an entity is linked to none, one or several other entities, 1..N means that an entity is linked one or several other entities, and 1 means that the linkage is always to a single entity.)

Dashboard Permissions

  • View dashboard: EditDashboards for the project.
  • Create dashboard: EditDashboards for the project.
  • Edit dashboard: EditDashboards for the project.
  • Move dashboard: EditDashboards for the original project and for the target project.
  • Delete dashboard (permanently): EditDashboards for the project.

Model Permissions

  • View model: GenericRead for the project.
  • Create model: GenericRead and GenericWrite for the project and global CreateModel.
  • Import model from pacm file: GenericRead, GenericWrite and ManageViews for the project and global CreateModel.
  • Change model properties (e.g. name): GenericRead and GenericWrite for the project.
  • Move model: GenericRead and DeleteModel for the source project, and GenericRead and GenericWrite for the target project.
  • Delete model (to bin): GenericRead and DeleteModel for the project.
  • Delete model (permanently): global DeleteModel.
  • Copy model: GenericRead and GenericWrite for the project and global CreateModel.
  • Initiate model loading: GenericRead for the project (*).

(*) The model loading might also require other permissions, e.g. access to the datatables or permissions required by the commands in the loading script. Models are not loaded using the permissions of the initiating user, but instead models are loaded in the following security context: GenericRead and GenericWrite for the project, global RunScripts. Models might also be loaded automatically during the server startup and this behavior ensures consistency regardless on how the model was loaded.

Project Permissions

  • View project: GenericRead for the project. (There are separate permissions for viewing dashboards/models/datatables/scripts in the project.)
  • Create project: global CreateModel, and GenericRead for the parent project (if creating a child project).
  • Change project properties (e.g. name): GenericRead and ManageProject for the project.
  • Move project: global CreateModel, ManageProject for the moved project, GenericRead for the original parent project, and GenericRead for the target parent project (if target is not root level).
  • Delete project (to bin): ManageProject and DeleteModel for the project.
  • Delete project (permanently): global DeleteModel and ManageProject permission for the project.
  • Copy project: Global CreateModel permission, and GenericRead and ManageProject for the copied project.

Note: Projects hierarchy doesn't generally affect the permissions, e.g., to see a project, permissions to its parent project are not required.

Datatable Permission

  • List datatables, view datatable properties and data contents: GenericRead for the project.
  • Create datatable: GenericWrite for the project and global CreateModel.
  • Change datatable properties, import data to datatable, modify/delete datatable rows, add/modify/delete datatable columns: GenericWrite for the project.
  • Move datatable between projects: GenericWrite and DeleteModel to source project, GenericWrite for target project, and global CreateModel.
  • Delete datatable (permanently): GenericWrite and DeleteModel for the project.

Filter Permissions

  • View own private filters, all published filters, and model default filter: GenericRead for the project.
  • View all filters: ManageViews for the project.
  • Create filter: Filtering for the project.
  • Edit own filters: Filtering for the project.
  • Edit all filters: ManageViews for the project.
  • Publish own filters: Filtering for the project.
  • Publish all filters: ManageViews for the project.
  • Delete own filters (permanently): Filtering for the project.
  • Delete any filters (permanently): ManageViews for the project.
  • Set model default filter: ManageViews for the project.

Note: When a filter is published, the filter still has owner which is applied for the permissions.

Script Permissions

  • View, call and run expression script: GenericRead for the project.
  • Create, edit and delete expression script: ManageScripts for the project.
  • View, call and run SQL script: global RunScripts and GenericRead for the project.
  • Create, edit and delete SQL script: global RunScripts and ManageScripts for the project.