Roles and Permissions: Difference between revisions
Line 15: | Line 15: | ||
!Permission||Allowed operations||Administrator||ModelCreator||RunScripts||Administrator||Designer||Analyzer||Viewer | !Permission||Allowed operations||Administrator||ModelCreator||RunScripts||Administrator||Designer||Analyzer||Viewer | ||
|- | |- | ||
||GenericRead|| | ||View dashboards (GenericRead)|| | ||
* View project's and model's information (name, description, configuration etc.) | * View project's and model's information (name, description, configuration etc.) | ||
* List datatables and view their contents | * List datatables and view their contents | ||
Line 23: | Line 23: | ||
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]] | ||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]] | ||
|- | |- | ||
||Filtering|| | ||Save filters (Filtering)|| | ||
* Create, modify and delete own filters (private and public, but not model default) | * Create, modify and delete own filters (private and public, but not model default) | ||
* Publish own private filters for other users (but not set the model default filter). Published filters are still user's own, so other users cannot modify them. | * Publish own private filters for other users (but not set the model default filter). Published filters are still user's own, so other users cannot modify them. | ||
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|| | ||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|| | ||
|- | |- | ||
||EditDashboards|| | ||Design dashboards (EditDashboards)|| | ||
* Create, modify and delete dashboards (as a project role, dashboards in the assigned project; as a global role, all dashboards). | * Create, modify and delete dashboards (as a project role, dashboards in the assigned project; as a global role, all dashboards). | ||
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|| | ||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|| | ||
|- | |- | ||
||GenericWrite|| | ||Import data (GenericWrite)|| | ||
* Edit model settings (but not possible to create or delete models) | * Edit model settings (but not possible to create or delete models) | ||
* Import data to datatables (either directly or import to a model which uses datatables) | * Import data to datatables (either directly or import to a model which uses datatables) | ||
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|||| | ||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|||| | ||
|- | |- | ||
||ManageViews|| | ||Delete filters (ManageViews)|| | ||
* View, create, modify and delete all filters in the model (also other users' private filters). | * View, create, modify and delete all filters in the model (also other users' private filters). | ||
* Set the model default filter. | * Set the model default filter. | ||
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]|| || || | ||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]|| || || | ||
|- | |- | ||
||ManageProject|| | ||Manage project (ManageProject)|| | ||
* Modify project information (name and description) (also ''GenericRead'' permission is needed) | * Modify project information (name and description) (also ''GenericRead'' permission is needed) | ||
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]|| || || | ||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]|| || || | ||
|- | |- | ||
||DeleteModel|| | ||Delete models (DeleteModel)|| | ||
As a project specific permission: | As a project specific permission: | ||
* Moving model to recycle bin (soft deleting) (also project specific ManageProject permission is needed) | * Moving model to recycle bin (soft deleting) (also project specific ManageProject permission is needed) | ||
Line 54: | Line 54: | ||
||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]|| || || | ||[[File:Tick.gif|center]]|| || ||[[File:Tick.gif|center]]|| || || | ||
|- | |- | ||
||ManageScripts|| | ||Manage scrips (ManageScripts)|| | ||
* As a project role, create, modify and delete scripts in ''project'' and ''model'' context. | * As a project role, create, modify and delete scripts in ''project'' and ''model'' context. | ||
* As a global role, create, modify and delete all scripts. | * As a global role, create, modify and delete all scripts. | ||
Line 67: | Line 67: | ||
||[[File:Tick.gif|center]]|| || || || || || | ||[[File:Tick.gif|center]]|| || || || || || | ||
|- | |- | ||
||ManageUsers | ||ManageUsers|| | ||
* Administrate users and groups, e.g. create new users and groups, and add users to groups. | * Administrate users and groups, e.g. create new users and groups, and add users to groups. | ||
||[[File:Tick.gif|center]]|| || || || || || | ||[[File:Tick.gif|center]]|| || || || || || | ||
|- | |- | ||
||CreateModel | ||CreateModel|| | ||
* Create projects, models and data tables. When a project is created, the creator gets project Administrator role for the project (giving full permissions to the project). | * Create projects, models and data tables. When a project is created, the creator gets project Administrator role for the project (giving full permissions to the project). | ||
||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|||||||||| | ||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]|||||||||| | ||
|- | |- | ||
||RunScripts | ||RunScripts|| | ||
* View [[Data_Extraction,_Transformation,_and_Loading|scripts]] code and other script properties (with additional restrictions listed below) | * View [[Data_Extraction,_Transformation,_and_Loading|scripts]] code and other script properties (with additional restrictions listed below) | ||
* Run scripts (with additional restrictions listed below) | * Run scripts (with additional restrictions listed below) |
Revision as of 12:59, 3 November 2020
QPR ProcessAnalyzer has a role-based access control, where all operations require appropriate rights in order to be executable. rights are given to users and user groups by assigning users or groups to roles, where roles are a collection of permissions. Permissions are fixed in QPR ProcessAnalyzer and there is a fixed list of operations behind a permission what user can do. Roles can be bound either to projects or be global, which means that that role (and its permissions) is applicable for all the contents in the system. Users belonging to a user group, have always all the roles assigned to that user group.
Global and Project Roles
There are two types of roles in QPR ProcessAnalyzer:
- Global roles are used to give rights in the entire QPR ProcessAnalyzer environment.
- Project roles are used to give rights in a certain project. When assigning projects roles, the project needs to be defined.
When using the Manage Users dialog, global roles are assigned when <All> is selected from the project list. Projects roles are assigned, when a project is selected in the list.
By default, QPR ProcessAnalyzer environment contains global and project roles that are shown in the following table (roles are as columns). The roles have been mapped to certain permissions that are also shown in the following table (permissions are as rows). It's possible to create new roles in QPR ProcessAnalyzer.
Global roles | Project roles | |||||||
---|---|---|---|---|---|---|---|---|
Permission | Allowed operations | Administrator | ModelCreator | RunScripts | Administrator | Designer | Analyzer | Viewer |
View dashboards (GenericRead) |
|
|||||||
Save filters (Filtering) |
|
|||||||
Design dashboards (EditDashboards) |
|
|||||||
Import data (GenericWrite) |
|
|||||||
Delete filters (ManageViews) |
|
|||||||
Manage project (ManageProject) |
|
|||||||
Delete models (DeleteModel) |
As a project specific permission:
As a global permission:
|
|||||||
Manage scrips (ManageScripts) |
This permission to be effective requires also the RunScript permission. |
|||||||
ManageOperations |
|
|||||||
ManageUsers |
|
|||||||
CreateModel |
|
|||||||
RunScripts |
The rights depend also in which of the following contexts the script is located:
|
Group Roles
Group administrator | Normal member | Hidden Member | |
---|---|---|---|
Add and remove group members | |||
Create users to group | |||
Add and remove project access rights of a user | |||
Open model accessible to group members | |||
See unhidden group members | |||
See hidden group members |
If a group member is a project Administrator, the user can add and remove project specific access rights for the group or for any individual member of the project.
Datatable Permission
Permissions required for datatables:
- List datatables, view datatable properties and data contents: GenericRead for the project.
- Create datatables: GenericWrite for the project.
- Change datatable properties and import data to datatable: GenericWrite for the project.
- Move datatables between projects: GenericWrite and DeleteModel to source project and GenericWrite for target project.
- Delete datatable: DeleteModel for the project.
Scripting Permissions
For viewing script definitions and running scripts, global RunScripts permission is needed. All scripts linked to the current context are available provided that the current user has permission to see the scripts in the context. The required permissions by context are:
- System context: No additional requirements.
- Project context: GenericRead permission for the project.
- Model context: GenericRead permission for the project of the model.
- User context: If the script is linked to current user, then no additional requirements. If the script is linked to a group the current user belongs to, no additional requirements. If the script is linked to other users or user groups, global ManageScripts permission is required.
For script creation, modification, deletion and export, the following permissions are needed depending on the script context:
- System context: Global ManageScripts and RunScripts
- Project context: project ManageScripts and global RunScripts
- Model context: project ManageScripts and global RunScripts
- User context: Global RunScripts and if the script is linked to a user group the user belongs to, GroupAdministrator user group role is required.
If Hide Script Details is set for the script, only users with modify permissions for the script can see the script code and log.
Permissions for Other Operations
- Move a model from a project to another: GenericWrite and DeleteModel permissions for the source project and CreateModel permission for the target project
- Creating a copy of a project: Global CreateModel permission and GenericRead and ManageProject permissions for the project
- Restoring a project from recycle bin: Global GenericRead, CreateModel and ManageProject permissions
- Deleting a project from the database: Global DeleteModel permission and ManageProject permission for the project
- It's not possible to create project without global CreateModel permission
- It's not possible to delete project without DeleteModel and ManageProject permission for the project
- It's not possible to rename a project without ManageProject permission
- It's not possible to move a project to another without ManageProject permission for moving project and GenericRead for source project and GenericRead + CreateModel for target project.
- It's not possible to move a dashboard to another project without EditDashboards permission for both the source and target project.