Case Level Permissions: Difference between revisions
No edit summary |
|||
Line 24: | Line 24: | ||
||EventLogKey | ||EventLogKey | ||
||[[QPR_ProcessAnalyzer_Expressions|Expression language]] expression used to uniquely identify all the unique event logs created by case permission filters. If a cached EventLog with the same key is already in the system, that EventLog is used instead of creating a new. The new EventLog is created by applying the Case expression to filter the Cases users have rights to. | ||[[QPR_ProcessAnalyzer_Expressions|Expression language]] expression used to uniquely identify all the unique event logs created by case permission filters. If a cached EventLog with the same key is already in the system, that EventLog is used instead of creating a new. The new EventLog is created by applying the Case expression to filter the Cases users have rights to. | ||
|} | |||
|- | |||
|DataSource | |||
| | |||
{| class="wikitable" | |||
!'''Property''' | |||
! '''Description''' | |||
|- | |||
|Cases | |||
| | |||
{| class="wikitable" | |||
!'''Property''' | |||
! '''Description''' | |||
|- | |||
||DataSourceType | |||
||Data source type. Currently only supported value is '''odbc'''. | |||
|- | |||
||OdbcConnectionString | |||
||ODBC connection string. Connection strings can be found in https://www.connectionstrings.com. | |||
|- | |||
||OdbcQuery | |||
||ODBC query that is made to the ODBC data source. | |||
|- | |||
||Columns | |||
||Column name mappings for QPR ProcessAnalyzer data model. Only supported mapping for Cases is '''CaseId'''. Example: | |||
<pre> | |||
{ | |||
"CaseId": "Name" | |||
} | |||
</pre> | |||
All unmapped columns are imported as case attributes. | |||
|} | |||
|- | |||
||Events | |||
|| | |||
{| class="wikitable" | |||
!'''Property''' | |||
! '''Description''' | |||
|- | |||
||DataSourceType | |||
||Same as in the Cases secsion above. | |||
|- | |||
||OdbcConnectionString | |||
||Same as in the Cases secsion above. | |||
|- | |||
||OdbcQuery | |||
||Same as in the Cases secsion above. | |||
|- | |||
||Columns | |||
|| | |||
Column name mappings for QPR ProcessAnalyzer data model, i.e. which columns in the fetched data are for. Supported mappings for Events are '''CaseId''', '''EventType''' and '''Timestamp'''. Example: | |||
<pre> | |||
{ | |||
"CaseId": "Case", | |||
"EventType": "Event Type", | |||
"Timestamp": "Start Time" | |||
} | |||
All unmapped columns are imported as event attributes. | |||
</pre> | |||
|} | |||
|} | |} | ||
|} | |} |
Revision as of 14:30, 24 May 2018
Each QPR ProcessAnalyzer model has model JSON settings. These JSON settings contain configurations and settings related to the model. The model needs to be reloaded into memory for the changed settings to take effect. See how to change model JSON settings.
The below defined settings are available.
Case Permissions
Section | Description | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Permissions | This section specifies data security restrictions for objects within the QPR ProcessAnalyzer model (i.e. limit visibility). If the Permissions section hasn't been defined, all the model data is visible to all users having GenericRead permission for the project in which the model resides (more information about roles and permissions). Permissions defined in this section, are only available when using the In-Memory core.
| ||||||||||||||||||||||||||
DataSource |
|
Example usecase for case permissions
There are groups G1, G2 and G3. Case permissions have been set as follows:
- group G1 can only see cases where (case attribute) Region is Dallas
- group G2 can only see cases where Region is Austin
- group G3 can only see cases where Region is either Austin or New York
QPR ProcessAnalyzer model contains the following cases:
Case name | Region (case attribute) | Groups can see |
---|---|---|
A | Dallas | G1 |
B | Dallas | G1 |
C | Austin | G2, G3 |
D | New York | G3 |
E | New York | G3 |
F | New York | G3 |
Thus, when viewing analyses, a user see that the model contains the following cases:
- If the user belongs to group G1 only, the user can see cases A and B (2 cases)
- If the user belongs to group G2 only, the user can see case C (1 case)
- If the user belongs to group G3 only, the user can see cases C, D, E and F (4 cases)
- If the user belongs to groups G1 and G2 only, the user can see cases A, B and C (3 cases)
There is no way for a user to be aware of the existence of cases that the user doesn't have rights to.
Configuration examples for case permissions
In this example, visibility of cases is limited in a way that only those users can see the cases belonging to a user group which name is same as the Region (case attribute).
{ "Permissions": { "Initialization": "Let(\"groupNames\", OrderByValue(CurrentUser.GroupNames))", "Case": "Region.In(groupNames)", "EventLogKey": "StringJoin(\"_\", groupNames)" } }
In this example, cases are only visible for users whose user name is same as the Account Manager (case attribute).
{ "Permissions": { "Initialization": "Let(\"userName\", CurrentUser.Name)", "Case": "(Attribute(\"Account Manager\") == userName)", "EventLogKey": "CurrentUser.Id" } }
In this example, cases having "Region" case attribute of "Dallas" will only be visible for users belonging to user group "GroupA" (and "New York" for group "GroupB").
{ "Permissions": { "Initialization": "Let(\"groupNames\", CurrentUser.GroupNames)", "Case": "(Region == \"Dallas\" && \"GroupA\".In(groupNames)) || (Region == \"New York\" && \"GroupB\".In(groupNames))", "EventLogKey": "If(\"GroupA\".In(groupNames), \"_A\", \"_\") + If(\"GroupB\".In(groupNames), \"_B\", \"_\")" } }
Load QPR ProcessAnalyzer models from ODBC datasources
The following component needs to be installed in the same host than the QPR ProcessAnalyzer service: "Microsoft Access Database Engine 2016 Redistributable".
- Go to https://www.microsoft.com/en-us/download/details.aspx?id=54920
- Select and download: AccessDatabaseEngine_X64.exe
- Double-click the program file on your hard disk to start the setup program.
- Follow the instructions on the screen to complete the installation.
Error codes for troubleshooting are accessible from ODBC Error Codes.
In this example, data is loaded from a CSV files that is accessible from though the file system (in this examples cases are store to path C:\. Example of path to csv file would be C:\\TestData\\.
{ "DataSource": { "Cases": { "DataSourceType": "odbc", "OdbcConnectionString": "Driver={Microsoft Access Text Driver (*.txt, *.csv)};DefaultDir=<path to csv file location>;Extensions=asc,csv,tab,txt", "OdbcQuery": "SELECT * FROM [ModelCaseAttributes.csv]", "Columns": { "CaseId": "Name" } }, "Events": { "DataSourceType": "odbc", "OdbcConnectionString": "Driver={Microsoft Access Text Driver (*.txt, *.csv)};DefaultDir=<path to csv file location>;Extensions=asc,csv,tab,txt", "OdbcQuery": "SELECT * FROM [ModelEventData.csv]", "Columns": { "CaseId": "Case", "EventType": "Event Type", "Timestamp": "Start Time" } } } }
In this example, data is loaded from an SQL Server table.
{ "DataSource": { "Cases": { "DataSourceType": "odbc", "OdbcConnectionString": "Driver={SQL Server};Server=<hostname>;DataBase=<database name>;Trusted_Connection=True;", "OdbcQuery": "SELECT MOD_CREATED_BY FROM PA_MODEL", "Columns": { "CaseId": "MOD_CREATED_BY" } }, "Events": { "DataSourceType": "odbc", "OdbcConnectionString": "Driver={SQL Server};Server=<hostname>;DataBase=<database name>;Trusted_Connection=True;", "OdbcQuery": "SELECT MOD_NAME, MOD_CREATED_DATE, MOD_CREATED_BY FROM PA_MODEL", "Columns": { "CaseId": "MOD_CREATED_BY", "Timestamp": "MOD_CREATED_DATE", "EventType": "MOD_NAME" } } } }