Roles and Permissions: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 184: Line 184:
** User context: Global '''RunScripts''' and if the script is linked to a user group the user belongs to, GroupAdministrator user group role is required.
** User context: Global '''RunScripts''' and if the script is linked to a user group the user belongs to, GroupAdministrator user group role is required.
* '''Running scripts''': Global '''RunScripts''' and view permissions.
* '''Running scripts''': Global '''RunScripts''' and view permissions.
== Integration Table Permissions ==
Integration tables are linked to a single project. Permissions for that project are used when determining the permissions for accessing its integration tables. '''ManageIntegrations''' and '''GenericRead''' permission are required in order to be able to see integration tables.
'''ManageIntegrations''' and '''GenericWrite''' permission are required in order to be able to create and modify integration tables.
It is possible to give quotas for users bound to roles for the following attributes related to integration tables:
* Maximum number of created integration tables
* Maximum number of rows in created integration table
* Maximum number of columns in created integration table
== DataTable Permissions ==
=== Creation ===
New data table can be created only by users having global CreateModel permission. When creating a new data table, data table size restrictions (maximum number of rows and columns allowed by user's roles) are copied from current user and stored for the data table. This is done in order to prevent global evaluator user from creating a project administrator user (after creating an user group) and using that to import more data into the data table created by the evaluator user than is allowed by evaluator user's role.
===Importing new data ===
New data can be imported into a data table by any user having global or project specific GenericWrite and ManageIntegrations permissions. CreateModel permission is required if the user is not appending to an existing data table (is overwriting already existing data table). User may never import more data than is allowed by product's activation. Data table specific data quotas are ignored for users that have unrestricted global CreateModel permission. Users that have restricted global CreateModel permission (e.g., global evaluators) or users that don't have any global CreateModel permission may only import the amount of data into a data table specified in data table's own restrictions.
=== Viewing ===
In order to view created data tables, the following global or project specific permissions are required: ManageIntegrations, GenericRead.


== See Also ==
== See Also ==

Revision as of 15:40, 7 February 2018

QPR ProcessAnalyzer uses role-based access control mechanism, so operation require permissions in order to be executable. Permissions are given to users and user groups by assigning users to roles, where roles are a collection of permissions. Roles can be bound either to a project or be global, which means that that role (and its permissions) is applicable for all the contents in the database. Users belonging to an user group have automatically all the roles assigned to that user group.

Global Roles

Global roles are roles are assigned when <All> is selected from the project list in the Manage Users dialog.

(Global) Administrator Model Creator Evaluator Run Script
GenericRead
Tick.gif
GenericWrite
Tick.gif
DeleteModel
Tick.gif
CreateModel
Tick.gif
Tick.gif
Tick.gif
ResetDatabase
Tick.gif
Filtering
Tick.gif
ManageUsers
Tick.gif
ManageOperations
Tick.gif
ManageReports
Tick.gif
ManageIdeas
Tick.gif
ManageProject
Tick.gif
ManageIntegrations
Tick.gif
ManageScripts
Tick.gif
(Global) Administrator Model Creator Evaluator Run Script
Create Project
Tick.gif
Tick.gif
Tick.gif
View Project
Tick.gif
Edit Project
Tick.gif
Permanently Delete Project
Tick.gif
Create Model
Unlimited
Unlimited
Max. 10 models
View Model
Tick.gif
Import Data into Model
Unlimited
Unlimited
Max. 10 models with max. 1000 events,
300 event attributes and case attributes each
Create Filters / Analyze Model
Tick.gif
Permanently Delete Model
Tick.gif
Create Data Table
Unlimited
Unlimited
Max. 10 data tables
View Data Table
Tick.gif
Import Data into Data Table
Unlimited
Unlimited
Max. 10 imported data tables with
max. 1000 rows and 300 columns each
Delete Data Table
Tick.gif
Access Operation Log
Tick.gif
Run Scripts
Tick.gif

Evaluator has the following additional restrictions:

  • Maximum number of models: 10
  • Maximum number of event in a model: 1000
  • Maximum number of event attributes in a model: 1000
  • Maximum number of case attributes in a model: 1000
  • Maximum number of created integration tables: 10
  • Maximun number of rows in created integration table: 1000
  • Maximun number of columns in created integration table: 1000
  • Evaluator and Model Creator get the Project administrator role for the projects that they create (see User Roles and Rights for Individual Projects below). They can delete models in the created projects only.
  • Models created by an Evaluator inherit the restrictions the current user has. These restrictions are in effect for all the imports targeting that model, no matter who is doing the import.
  • Users with Global Administrator or Model Creator role can always import new data into any model without restrictions. Note, however, that a user cannot import more data than what is allowed by the product's activation limits.

Project Roles

(Project) Administrator Analyzer Designer Viewer
GenericRead
Tick.gif
Tick.gif
Tick.gif
Tick.gif
GenericWrite
Tick.gif
Tick.gif
DeleteModel
Tick.gif
CreateModel
Tick.gif
Tick.gif
ResetDatabase
Tick.gif
Filtering
Tick.gif
Tick.gif
Tick.gif
ManageUsers
Tick.gif
ManageOperations
Tick.gif
ManageReports
Tick.gif
ManageIdeas
Tick.gif
ManageProject
Tick.gif
ManageIntegrations
Tick.gif
ManageScripts
Tick.gif
(Project) Administrator Analyzer Designer Viewer
View Project
Tick.gif
Tick.gif
Tick.gif
Tick.gif
Edit Project
Tick.gif
Tick.gif
Delete Project
Tick.gif
Tick.gif
View Model
Tick.gif
Tick.gif
Tick.gif
Tick.gif
Edit Model
Tick.gif
Tick.gif
Create Filters / Analyze Model
Tick.gif
Tick.gif
Tick.gif
Import Data into Existing Model
Tick.gif
Tick.gif
Delete Model
Tick.gif
Tick.gif
View Data Table
Tick.gif
Import Data into Existing Data Table
Tick.gif
Delete Data Table
Tick.gif

Group Roles

Administrator (Group) Member Hidden Member
Add/Remove Group Members
Tick.gif
Tick.gif
Tick.gif
Create Users to Group
Tick.gif
Add/Remove Project Access Rights of a User
Tick.gif
Tick.gif
Open Model Accessible to Group Members
Tick.gif
Tick.gif
Tick.gif
See Unhidden Group Members
Tick.gif
Tick.gif
See Hidden Group Members
Tick.gif
  • If a group member is a Project Administrator, he/she can add and remove project specific access rights for the group or for any individual member of the project.

Filtering Permissions

A user can query details of a filter via Web Service API for any filter created to a model the user has at least GenericRead permission.

A filter is visible if the user has permissions for the model the filter belongs to and any of the following conditions is true:

  • User has ManageReports or ManageViews permission for the project the model belongs to (e.g. has Administrator role for project or global)
  • User is the creator of the bookmark.
  • The publish mode of the bookmark public.​​


3 A filter is visible in Web Client UI if the user has permissions for the model the filter belongs to and the publish model of the filter is public.

Scripting Permissions

Permissions required for all ETL script related tasks:

  • Viewing scripts: Global RunScripts
    • All scripts linked to the current context are available to be viewed provided that the current user has permission to see the scripts in the context. The required permissions by context are:
      • System context: No additional requirements.
      • Project context: GenericRead permission for the project.
      • Model context: GenericRead permission for the project of the model.
      • User context: If the script is linked to current user, then no additional requirements. If the script is linked to a group the current user belongs to, no additional requirements. If the script is linked to other users or user groups, global ManageScripts permission is required.
      • If a special HideScriptDetailsFromNonScriptManagers flag is set for a script, then only users with modify permissions for the script can see the ScriptText and Script log.
  • Script creation, modification, deletion and export:
    • System context: Global ManageScripts, Global RunScripts
    • Project context: ManageScripts for project, Global RunScripts
    • Model context: ManageScripts for project of the model, Global RunScripts
    • User context: Global RunScripts and if the script is linked to a user group the user belongs to, GroupAdministrator user group role is required.
  • Running scripts: Global RunScripts and view permissions.

Integration Table Permissions

Integration tables are linked to a single project. Permissions for that project are used when determining the permissions for accessing its integration tables. ManageIntegrations and GenericRead permission are required in order to be able to see integration tables.

ManageIntegrations and GenericWrite permission are required in order to be able to create and modify integration tables.

It is possible to give quotas for users bound to roles for the following attributes related to integration tables:

  • Maximum number of created integration tables
  • Maximum number of rows in created integration table
  • Maximum number of columns in created integration table

DataTable Permissions

Creation

New data table can be created only by users having global CreateModel permission. When creating a new data table, data table size restrictions (maximum number of rows and columns allowed by user's roles) are copied from current user and stored for the data table. This is done in order to prevent global evaluator user from creating a project administrator user (after creating an user group) and using that to import more data into the data table created by the evaluator user than is allowed by evaluator user's role.

Importing new data

New data can be imported into a data table by any user having global or project specific GenericWrite and ManageIntegrations permissions. CreateModel permission is required if the user is not appending to an existing data table (is overwriting already existing data table). User may never import more data than is allowed by product's activation. Data table specific data quotas are ignored for users that have unrestricted global CreateModel permission. Users that have restricted global CreateModel permission (e.g., global evaluators) or users that don't have any global CreateModel permission may only import the amount of data into a data table specified in data table's own restrictions.

Viewing

In order to view created data tables, the following global or project specific permissions are required: ManageIntegrations, GenericRead.

See Also