Case Level Permissions: Difference between revisions
Jump to navigation
Jump to search
(Created page with "There is model JSON settings for each QPR ProcessAnalyzer model. The JSON settings contain configurations and settings related to the model. The model needs to be reloaded for...") |
No edit summary |
||
| Line 2: | Line 2: | ||
Following settings are supported: | Following settings are supported: | ||
{| class="wikitable" | |||
! Property name | |||
! Description | |||
|- | |||
|Permissions | |||
|Permissions configuration specifies additional permissions and visibilities of objects within the model. The security feature is available in [[Installing QPR ProcessAnalyzer Server#Configure_Web_Service_to_use_In-Memory_or_In-Database_processing|In-Memory core]]. By default, all the model data within model's EventLog is visible to all the users having '''GenericRead''' permission for the project in which the model resides. It is possible to configure additional case -level permissions by using permission model configuration. | |||
Consists of a JSON object having the following supported properties: | |||
|- | |||
|Initialization | |||
|An expression language expression used to initialize calculation environment for all the other expressions within this same permissions context. Evaluated within a generic context. | |||
|- | |||
||Case | |||
||An expression language expression evaluated within the context of every case one-by-one. If the evaluation results true, then the case is visible for the current request. Otherwise the case and its events are not visible. The evaluation is performed whenever a client requests for any analysis or model information requiring the loading of the event log having event log key specified in 2.3 into the memory and the event log has not yet been loaded, or has already been dropped out of the memory. | |||
|- | |||
||EventLogKey | |||
||An expression language expression used to uniquely identify all the unique event logs created by case permission filters. Evaluated within a generic context. If any permissions have been defined for a model, trying to generate a eventlog (#30979#) dependent analysis (= analyses not listed in #11084#) will throw an exception. | |||
3.2. Any model bound analysis performed using SqlCore on a model that has any defined permissions will result into an exception. | |||
|} | |||
== Examples == | |||
Create a permission filter so that visibility of cases is limited in a way hat only users belonging to a user group whose name equals to Region case attribute value. | |||
<pre> | |||
{ | |||
"Permissions": { | |||
"Initialization": "Let(\"groupNames\", OrderByValue(CurrentUser.GroupNames))", | |||
"Case": "Region.In(groupNames)", | |||
"EventLogKey": "StringJoin(\"_\", groupNames)" | |||
} | |||
} | |||
</pre> | |||
Create a permission filter so that every case is only visible for users whose user name equals to Account Manager case attribute value. | |||
<pre> | |||
{ | |||
"Permissions": { | |||
"Initialization": "Let(\"userName\", CurrentUser.Name)", | |||
"Case": "(Attribute(\"Account Manager\") == userName)", | |||
"EventLogKey": "CurrentUser.Id" | |||
} | |||
} | |||
</pre> | |||
Revision as of 16:02, 6 February 2018
There is model JSON settings for each QPR ProcessAnalyzer model. The JSON settings contain configurations and settings related to the model. The model needs to be reloaded for the changed settings to take effect.
Following settings are supported:
| Property name | Description |
|---|---|
| Permissions | Permissions configuration specifies additional permissions and visibilities of objects within the model. The security feature is available in In-Memory core. By default, all the model data within model's EventLog is visible to all the users having GenericRead permission for the project in which the model resides. It is possible to configure additional case -level permissions by using permission model configuration.
Consists of a JSON object having the following supported properties: |
| Initialization | An expression language expression used to initialize calculation environment for all the other expressions within this same permissions context. Evaluated within a generic context. |
| Case | An expression language expression evaluated within the context of every case one-by-one. If the evaluation results true, then the case is visible for the current request. Otherwise the case and its events are not visible. The evaluation is performed whenever a client requests for any analysis or model information requiring the loading of the event log having event log key specified in 2.3 into the memory and the event log has not yet been loaded, or has already been dropped out of the memory. |
| EventLogKey | An expression language expression used to uniquely identify all the unique event logs created by case permission filters. Evaluated within a generic context. If any permissions have been defined for a model, trying to generate a eventlog (#30979#) dependent analysis (= analyses not listed in #11084#) will throw an exception.
3.2. Any model bound analysis performed using SqlCore on a model that has any defined permissions will result into an exception. |
Examples
Create a permission filter so that visibility of cases is limited in a way hat only users belonging to a user group whose name equals to Region case attribute value.
{
"Permissions": {
"Initialization": "Let(\"groupNames\", OrderByValue(CurrentUser.GroupNames))",
"Case": "Region.In(groupNames)",
"EventLogKey": "StringJoin(\"_\", groupNames)"
}
}
Create a permission filter so that every case is only visible for users whose user name equals to Account Manager case attribute value.
{
"Permissions": {
"Initialization": "Let(\"userName\", CurrentUser.Name)",
"Case": "(Attribute(\"Account Manager\") == userName)",
"EventLogKey": "CurrentUser.Id"
}
}