Case Level Permissions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search

Each QPR ProcessAnalyzer model has a Configuration field containing model related settings in a JSON format. Those settings are documented in this page. When the model JSON configuration is changed, the model is dropped from the memory.

Model Datasources

The DataSource section is used to define where the QPR ProcessAnalyzer model data is loaded. See below examples, how to construct the full JSON.

Property Description
Cases
Property Description
DataSourceType Data source type to use, when fetching the Cases data. Currently the only supported value is odbc.
OdbcConnectionString ODBC connection string to use to fetch the Cases data. Connection strings can be found in https://www.connectionstrings.com.
OdbcQuery ODBC query to use to fetch the Cases data.
Columns Column name mappings for QPR ProcessAnalyzer data model. Only supported mapping is CaseId defining the case id (case name). Example:
{ 
  "CaseId": "SalesOrderHeaderId"
}

All unmapped columns are imported as case attributes. If the fetched data doesn't contain a mapped column, the model loading fails and an error message is given.

Events
Property Description
DataSourceType Data source type to use, when fetching the Events data. Currently the only supported value is odbc.
OdbcConnectionString ODBC connection string to use to fetch the Events data. Connection strings can be found in https://www.connectionstrings.com.
OdbcQuery ODBC query to use to fetch the Events data.
Columns

Column name mappings for QPR ProcessAnalyzer data model. Supported mappings for Events are CaseId, EventType and Timestamp. Example:

{ 
  "CaseId": "SalesOrderHeaderId",
  "EventType": "EventType",
  "Timestamp": "CreatedDate"
}

All unmapped columns are imported as event attributes. If the fetched data doesn't contain a mapped column, the model loading fails and an error message is given.

Example: Loading QPR ProcessAnalyzer models from ODBC datasources

Microsoft Access Database Engine 2016 Redistributable is software package that contains ODBC drivers for

  • Microsoft SQL Server
  • Microsoft Access (*.mdb and *.accdb) files
  • Microsoft Excel (*.xls, *.xlsx, and *.xlsb) files
  • CSV text files

The package needs to be installed in the same computer where the QPR ProcessAnalyzer Server is running. Installation instructions:

  1. Go to https://www.microsoft.com/en-us/download/details.aspx?id=54920 and click Download.
  2. Select whether to use the 32bit or 64bit (x64) version (usually it's the 64bit version).
  3. Double-click the executable file on your hard disk to start the setup program.
  4. Follow the instructions on the screen to complete the installation.

Read data from CSV file

In this example, data is loaded from CSV files located in the file system using Microsoft Access Text Driver (*.txt, *.csv) driver. Loaded files are C:\\ProcessMiningData\\ModelCaseAttributes.csv and C:\\ProcessMiningData\\ModelEventData.csv.

{
  "DataSource": {
    "Cases": {    
      "DataSourceType": "odbc",
      "OdbcConnectionString": "Driver={Microsoft Access Text Driver (*.txt, *.csv)};DefaultDir=C:\\ProcessMiningData\\;Extensions=asc,csv,tab,txt",
      "OdbcQuery": "SELECT * FROM [ModelCaseAttributes.csv]",
      "Columns": { 
        "CaseId": "Name"
      }
    },
    "Events": {
      "DataSourceType": "odbc",
      "OdbcConnectionString": "Driver={Microsoft Access Text Driver (*.txt, *.csv)};DefaultDir=C:\\ProcessMiningData\\;Extensions=asc,csv,tab,txt",
      "OdbcQuery": "SELECT * FROM [ModelEventData.csv]",
      "Columns": { 
        "CaseId": "Case",
        "EventType": "Event Type",
        "Timestamp": "Start Time"
      }
    }
  }
}

Read data from SQL Server table

In this example, data is loaded from an SQL Server table.

{
  "DataSource": {
    "Cases": {
    "DataSourceType": "odbc",
    "OdbcConnectionString": "Driver={SQL Server};Server=<hostname>;DataBase=<database name>;Trusted_Connection=True;",
    "OdbcQuery": "SELECT MOD_CREATED_BY FROM PA_MODEL",
    "Columns": { 
      "CaseId": "MOD_CREATED_BY"
    }
    },
    "Events": {
      "DataSourceType": "odbc",
      "OdbcConnectionString": "Driver={SQL Server};Server=<hostname>;DataBase=<database name>;Trusted_Connection=True;",
      "OdbcQuery": "SELECT MOD_NAME, MOD_CREATED_DATE, MOD_CREATED_BY FROM PA_MODEL",
      "Columns": { 
        "CaseId": "MOD_CREATED_BY",
        "Timestamp": "MOD_CREATED_DATE",
        "EventType": "MOD_NAME"
      }
    }
  }
}

Read data from Excel file

In this example, data is loaded from a Excel file that is accessible from though the file system (in this examples cases are store to path C:\). Example of filename would be C:\\TestData\\SAP_PurchaseToPay.xlsx. Event data and case attribute data is stored in different Excel sheet but in the same file.

{
  "DataSource": {
    "Cases": {
      "DataSourceType": "odbc",
      "OdbcConnectionString": "Driver={Microsoft Excel Driver (*.xls, *.xlsx, *.xlsm, *.xlsb)};DBQ=<path to excel filename>",
      "OdbcQuery": "SELECT * FROM [<sheet name>$]",
      "Columns": {
        "CaseId": "Case ID"
      }
    },
    "Events": {
      "DataSourceType": "odbc",
      "OdbcConnectionString": "Driver={Microsoft Excel Driver (*.xls, *.xlsx, *.xlsm, *.xlsb)};DBQ=<path to excel filename>",
      "OdbcQuery": "SELECT * FROM [<sheet name>$]",
      "Columns": {
        "CaseId": "Case ID",
        "EventType": "Activity",
        "Timestamp": "Start Time"
      }
    }
  }
}

Troubleshooting

Error codes for troubleshooting are accessible from ODBC Error Codes.

Case attributes or event attributes named as F<column number> e.g. F10 comes from the data loaded to the model. This occurs when the column is undefined, for example if the CSV file contains extra delimiter.

Case Permissions

The Permissions section specifies data security restrictions for objects within the QPR ProcessAnalyzer model (i.e. limit visibility). If the Permissions section hasn't been defined, all the model data is visible to all users having GenericRead permission for the project in which the model resides (more information about roles and permissions). Permissions defined in this section, are only available when using the In-Memory core.

Property Description
Initialization Expression language expression used to make an initial calculation for all the other expressions within this same permissions context. This expression can be used to improve performance when part of the Case or EventLogKey expressions are common and thus they don't need to be calculated again for every Case separately. See the examples below of using the Initialization expression.
Case Expression language expression determining which users can see each Cases. The expression is evaluated within the context of each Case. If the evaluation results true, the Case is visible for the user. Otherwise the Case, its Events and case and event attributes are not visible. This setting implements case level security restrictions.
EventLogKey Expression language expression used to uniquely identify all the unique event logs created by case permission filters. If a cached EventLog with the same key is already in the system, that EventLog is used instead of creating a new. The new EventLog is created by applying the Case expression to filter the Cases users have rights to.

Example usecase for case permissions

There are groups G1, G2 and G3. Case permissions have been set as follows:

  • group G1 can only see cases where (case attribute) Region is Dallas
  • group G2 can only see cases where Region is Austin
  • group G3 can only see cases where Region is either Austin or New York

QPR ProcessAnalyzer model contains the following cases:

Case name Region (case attribute) Groups can see
A Dallas G1
B Dallas G1
C Austin G2, G3
D New York G3
E New York G3
F New York G3

Thus, when viewing analyses, a user see that the model contains the following cases:

  • If the user belongs to group G1 only, the user can see cases A and B (2 cases)
  • If the user belongs to group G2 only, the user can see case C (1 case)
  • If the user belongs to group G3 only, the user can see cases C, D, E and F (4 cases)
  • If the user belongs to groups G1 and G2 only, the user can see cases A, B and C (3 cases)

There is no way for a user to be aware of the existence of cases that the user doesn't have rights to.

Configuration examples for case permissions

In this example, visibility of cases is limited in a way that only those users can see the cases belonging to a user group which name is same as the Region (case attribute).

{
  "Permissions": {
    "Initialization": "Let(\"groupNames\", OrderByValue(CurrentUser.GroupNames))", 
    "Case": "Region.In(groupNames)",
    "EventLogKey": "StringJoin(\"_\", groupNames)"
  }
}

In this example, cases are only visible for users whose user name is same as the Account Manager (case attribute).

{
  "Permissions": {
    "Initialization": "Let(\"userName\", CurrentUser.Name)", 
    "Case": "(Attribute(\"Account Manager\") == userName)",
    "EventLogKey": "CurrentUser.Id"
  }
}

In this example, cases having "Region" case attribute of "Dallas" will only be visible for users belonging to user group "GroupA" (and "New York" for group "GroupB").

{
  "Permissions": {
    "Initialization": "Let(\"groupNames\", CurrentUser.GroupNames)", 
    "Case": "(Region == \"Dallas\" && \"GroupA\".In(groupNames)) || (Region == \"New York\" && \"GroupB\".In(groupNames))",
    "EventLogKey": "If(\"GroupA\".In(groupNames), \"_A\", \"_\") + If(\"GroupB\".In(groupNames), \"_B\", \"_\")"
  }
}