Case Level Permissions: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 2: Line 2:
* [[Calculated Attributes in QPR ProcessAnalyzer|Calculated attributes]]
* [[Calculated Attributes in QPR ProcessAnalyzer|Calculated attributes]]
* [[#Automatic Loading on Server Startup|Automatic loading on server startup]]
* [[#Automatic Loading on Server Startup|Automatic loading on server startup]]
* [[QPR ProcessAnalyzer Model Datasources|QPR ProcessAnalyzer model datasources]]
* [[QPR ProcessAnalyzer Model Datasources|Model datasources]]
* [[#Memory Usage Settings|Memory usage settings]]
* [[#Memory Usage Settings|Memory usage settings]]
* [[#Case Permissions|Case Permissions]]
* [[#Case Permissions|Case Permissions]]

Revision as of 11:34, 9 October 2019

Each QPR ProcessAnalyzer model has a Configuration field containing model related settings in a JSON format. When the model JSON configuration is changed, the model is dropped from the memory. The following settings are stored to the model JSON settings:


Memory Usage Settings

The memory usage settings are used to manage, how long objects are kept in the memory, which affect both the memory usage and performance. The longer the object storing durations, the more memory is consumed, but on the other hand users perceive better performance as analyses are more likely to be found in the memory already calculated. Memory usage settings can be defined in the web.config file and for each model separately in the model settings.

Property Description

CacheUsage/ DropUnusedModelsAfter

Duration after which the unused model, is dropped from the memory. Defined in format HH:mm:ss or d.HH:mm:ss, for example 01:00:00 (one hour), 00:30:00 (30 minutes) or 1.00:00:00 (24 hours). When an analysis is requested for a model, the model's last used time is updated (also filter's last used time is updated).

If this setting is not defined, the server level default setting is used.

CacheUsage/ DropUnusedFiltersAfter

Duration after which the model's unused filters, are dropped from the memory. Defined in format HH:mm:ss or d.HH:mm:ss, for example 01:00:00 (one hour), 00:30:00 (30 minutes) or 1.00:00:00 (24 hours). When an analysis is requested for a filter , the filter's last used time is updated (also model's last used time is updated).

If this setting is not defined, the server level default setting is used.

Configuration Examples

The following configuration keeps the model in memory for 1 hour and filters for 30 minutes.

{
  "CacheUsage": {
    "DropUnusedModelsAfter": "1:00:00",
    "DropUnusedFiltersAfter": "00:30:00"
  }
}

The following configuration keeps the model in memory for 15 minutes and filters for 5 minutes.

{
  "CacheUsage": {
    "DropUnusedModelsAfter": "0:15:00",
    "DropUnusedFiltersAfter": "00:05:00"
  }
}

The following configuration keeps the model in memory for 100 days (practically it's never dropped) and filters for 2 hours.

{
  "CacheUsage": {
    "DropUnusedModelsAfter": "100.00:00:00",
    "DropUnusedFiltersAfter": "02:00:00"
  }
}

Memory Objects Summary

Data handled by QPR ProcessAnalyzer memory is stored in following types of objects:

Stored Objects Contents Unused objects dropped after Time to reload/calculate Memory consumption
Models Models objects contain all data in a QPR ProcessAnalyzer model, such as
  • cases
  • events
  • variations
  • event types
  • flows
  • flow occurrences
Primarily defined by a model setting CacheUsage/DropUnusedModelsAfter. If the model setting is not defined, the server level setting in the web.config file is used. If the server setting is not defined either, a default value of 10 hours is used. When the is a memory shortage in the server, models are not dropped from the memory. Slow

Models are loaded from the database requiring to transfer considerable amount of data, which takes much more time than e.g. calculating filters and analyses.

High
Filters Filters contain all filtered data in QPR ProcessAnalyzer model, which includes similar data and structures as the models. Primarily defined by a model setting. If the model setting is not defined, the server setting is used. If the server setting is not defined, a default value of 1 hour is used. When the is a memory shortage in the server, filters may be dropped from the memory to free memory. Fast

Filters are calculated from the model data that already exists in the memory. Practically, filters are subsets of models.

Medium
Analysis results Results of the analysis (in tabular form). Unused analysis results are kept maximum of 30 minutes in the memory if they are not used. When the is a memory shortage in the server, analysis results may be dropped from the memory to free memory. Fast

Analysis results are calculated from filters, which already exist in memory.

Low

If the QPR ProcessAnalyzer server doesn't have enough memory to store more objects, already stored objects are dropped from the memory starting from the one having the longest time from the last usage. Thus, when there is a short of memory, objects may be dropped earlier than their settings define. Only filters and analysis results are dropped during the memory shortage, i.e. model objects are not dropped prematurely. This is because recalculating filters and analysis results is usually faster than loading models from the database. That's why, when trying to load more models than there is available memory in the server, an out of memory error situation may occur.

Automatic Loading on Server Startup

QPR ProcessAnalyzer models can be loaded automatically into the server memory, when QPR ProcessAnalyzer Server starts. Especially when models are large and loading takes a long time, it's beneficial to load the models beforehand. In the model JSON settings, when the LoadOnStartup property is set to true, the model is loaded automatically during QPR ProcessAnalyzer Server startup. The JSON configuration is as follows:

{
  "LoadOnStartup": true,
  "CacheUsage": {
    "DropUnusedModelsAfter": "100.00:00:00",
    "DropUnusedFiltersAfter": "00:30:00"
  }
}

Notes:

  • For models that are set to load automatically on server startup, you also need to set the CacheUsage/DropUnusedModelsAfter setting to a large value (as shown by the previous example), to make sure that it remains in the memory even if it's not used.
  • It's possible to control how many models are loaded simultaneously at maximum, to limit how much server capacity the model loading can use. The default value is two models at the same time. To change this setting, see the PA_Configuration table. Models are loaded in the order based on their id's (starting from the smallest). This setting only affects the model loading on startup (not model loading initiated by users). If loading of a model fails, the loading just continues to the next model.
  • For the LoadOnStartup setting to work, IIS configuration for the QPR ProcessAnalyzer Server need to be in place.

Case Permissions

The Permissions section specifies data security restrictions for objects within the QPR ProcessAnalyzer model (i.e. limit visibility). If the Permissions section hasn't been defined, all the model data is visible to all users having GenericRead permission for the project in which the model resides (more information about roles and permissions). Permissions defined in this section, are only available when using the In-Memory core.

Property Description
Permissions/Initialization Expression language expression used to make an initial calculation for all the other expressions within this same permissions context. This expression can be used to improve performance when part of the Case or EventLogKey expressions are common and thus they don't need to be calculated again for every Case separately. See the examples below of using the Initialization expression.
Permissions/Case Expression language expression determining which users can see each Cases. The expression is evaluated within the context of each Case. If the evaluation results true, the Case is visible for the user. Otherwise the Case, its Events and case and event attributes are not visible. This setting implements case level security restrictions.
Permissions/EventLogKey Expression language expression used to uniquely identify all the unique event logs created by case permission filters. If a cached EventLog with the same key is already in the system, that EventLog is used instead of creating a new. The new EventLog is created by applying the Case expression to filter the Cases users have rights to.

Example usecase for case permissions

Case level permissions (security control) can be implemented with the principle illustrated in the image below. Users already belong to certain groups in the user management, and cases have certain case attribute values which is part of the loaded process mining data. Additionally, the linkage between case attribute values (of a certain case attribute) and groups needs to be defined when this security feature is configured. The image below illustrates the chain between users and cases, how certain users are able to see certain cases when viewing analyses from a QPR ProcessAnalyzer model.

CasePermissions.png

Example: There are groups G1, G2 and G3. Case permissions have been set as follows:

  • group G1 can only see cases where (case attribute) Region is Dallas
  • group G2 can only see cases where Region is Austin
  • group G3 can only see cases where Region is either Austin or New York

QPR ProcessAnalyzer model contains the following cases:

Case name Region (case attribute) Groups can see
A Dallas G1
B Dallas G1
C Austin G2, G3
D New York G3
E New York G3
F New York G3

Thus, when viewing analyses, a user see that the model contains the following cases:

  • If the user belongs to group G1 only, the user can see cases A and B (2 cases)
  • If the user belongs to group G2 only, the user can see case C (1 case)
  • If the user belongs to group G3 only, the user can see cases C, D, E and F (4 cases)
  • If the user belongs to groups G1 and G2 only, the user can see cases A, B and C (3 cases)

There is no way for a user to be aware of the existence of cases that the user doesn't have rights to.

Configuration examples for case permissions

In this example, visibility of cases is limited in a way that only those users can see the cases belonging to a user group which name is same as the Region (case attribute).

{
  "Permissions": {
    "Initialization": "Let(\"groupNames\", OrderByValue(CurrentUser.GroupNames))", 
    "Case": "Region.In(groupNames)",
    "EventLogKey": "StringJoin(\"_\", groupNames)"
  }
}

In this example, cases are only visible for users whose user name is same as the Account Manager (case attribute).

{
  "Permissions": {
    "Initialization": "Let(\"userName\", CurrentUser.Name)", 
    "Case": "(Attribute(\"Account Manager\") == userName)",
    "EventLogKey": "CurrentUser.Id"
  }
}

In this example, cases having "Region" case attribute of "Dallas" will only be visible for users belonging to user group "GroupA" (and "New York" for group "GroupB").

{
  "Permissions": {
    "Initialization": "Let(\"groupNames\", CurrentUser.GroupNames)", 
    "Case": "(Region == \"Dallas\" && \"GroupA\".In(groupNames)) || (Region == \"New York\" && \"GroupB\".In(groupNames))",
    "EventLogKey": "If(\"GroupA\".In(groupNames), \"_A\", \"_\") + If(\"GroupB\".In(groupNames), \"_B\", \"_\")"
  }
}