Case Level Permissions

Each QPR ProcessAnalyzer model has model JSON settings. These JSON settings contain configurations and settings related to the model. The model needs to be reloaded into memory for the changed settings to take effect. See how to change model JSON settings.

The below defined settings are available.

Case Permissions

Section

Description

Permissions

This section specifies data security restrictions for objects within the QPR ProcessAnalyzer model (i.e. limit visibility). If the Permissions section hasn't been defined, all the model data is visible to all users having GenericRead permission for the project in which the model resides (more information about roles and permissions). Permissions defined in this section, are only available when using the In-Memory core.

Property	Description
Initialization	Expression language expression used to make an initial calculation for all the other expressions within this same permissions context. This expression can be used to improve performance when part of the Case or EventLogKey expressions are common and thus they don't need to be calculated again for every Case separately. See the examples below of using the Initialization expression.
Case	Expression language expression determining which users can see each Cases. The expression is evaluated within the context of each Case. If the evaluation results true, the Case is visible for the user. Otherwise the Case, its Events and case and event attributes are not visible. This setting implements case level security restrictions.
EventLogKey	Expression language expression used to uniquely identify all the unique event logs created by case permission filters.

Example usage for case permissions

There are groups G1, G2 and G3. Case permissions have been set as follows:

group G1 can only see cases where (case attribute) Region is Dallas
group G2 can only see cases where Region is Austin
group G3 can only see cases where Region is either Austin or New York

QPR ProcessAnalyzer model contains the following cases:

Case name	Region (case attribute)	Groups can see
A	Dallas	G1
B	Dallas	G1
C	Austin	G2, G3
D	New York	G3
E	New York	G3
F	New York	G3

Thus, when viewing analyses, a user see that the model contains the following cases:

If the user belongs to group G1 only, the user can see cases A and B (2 cases)
If the user belongs to group G2 only, the user can see case C (1 case)
If the user belongs to group G3 only, the user can see cases C, D, E and F (4 cases)
If the user belongs to groups G1 and G2 only, the user can see cases A, B and C (3 cases)

There is no way for a user to be aware of the existence of cases that the user doesn't have rights to.

Examples for defining case permissions

In this example, visibility of cases is limited in a way that only those users can see the cases belonging to a user group which name is same as the Region (case attribute).

{
  "Permissions": {
    "Initialization": "Let(\"groupNames\", OrderByValue(CurrentUser.GroupNames))", 
    "Case": "Region.In(groupNames)",
    "EventLogKey": "StringJoin(\"_\", groupNames)"
  }
}

In this example, cases are only visible for users whose user name is same as the Account Manager (case attribute).

{
  "Permissions": {
    "Initialization": "Let(\"userName\", CurrentUser.Name)", 
    "Case": "(Attribute(\"Account Manager\") == userName)",
    "EventLogKey": "CurrentUser.Id"
  }
}

In this example, cases having "Region" case attribute of "Dallas" will only be visible for users belonging to user group "GroupA" (and "New York" for group "GroupB").

{
  "Permissions": {
    "Initialization": "Let(\"groupNames\", CurrentUser.GroupNames)", 
    "Case": "(Region == \"Dallas\" && \"GroupA\".In(groupNames)) || (Region == \"New York\" && \"GroupB\".In(groupNames))",
    "EventLogKey": "If(\"GroupA\".In(groupNames), \"_A\", \"_\") + If(\"GroupB\".In(groupNames), \"_B\", \"_\")"
  }
}

Case Level Permissions

Case Permissions

Example usage for case permissions

Examples for defining case permissions

Navigation menu

Search