Case Level Permissions

From QPR ProcessAnalyzer Wiki
Revision as of 16:51, 1 October 2020 by Ollvihe (talk | contribs)
Jump to navigation Jump to search

In addition to the project level permissions, it's possible to configure case level permissions for model, in which visibility can be defined for each case separately based on rules. Case level permissions are effective effective for all users, but users who have the GenericWrite permission, can change the case permissions setting for a model and thus workaround the security settings enforced by case permissions.

Case level permissions are configured in the model properties in the Details tab. The following settings are available:

  • Initialization expression: Expression for initializations for the other expressions within this same permissions context. This expression can be used to improve performance when part of the Case or EventLogKey expressions are common and thus they don't need to be calculated again for every Case separately. See the examples below of using the Initialization expression.
  • Permissions expression: Expression determining which cases a user can see. The expression is evaluated for each case. The evaluation is done when a new eventlog is generated. If the evaluation results true for a case, the case is visible for the user; otherwise not. This expression is mandatory for the case level permissions to work
  • Eventlog key: Expression used to uniquely identify the eventlogs created by case permission filters. If a cached eventLog with the same key already exists in the system, that eventlog is used instead of creating a new.

Configuration examples

In this example, visibility of cases is limited in a way that only those users can see the cases belonging to a user group which name is same as the Region (case attribute).

  • Initialization expression: Let("groupNames", OrderByValue(CurrentUser.GroupNames))
  • Permissions expression: Region.In(groupNames)
  • Eventlog key: StringJoin("_", groupNames)


In this example, cases are only visible for users whose user name is same as the Account Manager (case attribute):

  • Initialization expression: let userName = CurrentUser.Name
  • Permissions expression: Attribute("Account Manager") == userName
  • Eventlog key: CurrentUser.Id

In this example, cases having "Region" case attribute of "Dallas" will only be visible for users belonging to user group "GroupA" (and "New York" for group "GroupB"):

  • Initialization expression: let groupNames = CurrentUser.GroupNames;
  • Permissions expression: (Region == "Dallas" && "GroupA".In(groupNames)) || (Region == "New York" && "GroupB".In(groupNames))
  • Eventlog key: If("GroupA".In(groupNames), "_A", "_") + If("GroupB".In(groupNames), "_B", "_")

Usecase

Case level permissions can be implemented with the principle illustrated in the image below. Users already belong to certain groups in the user management, and cases have certain case attribute values which is part of the loaded process mining data. Additionally, the linkage between case attribute values (of a certain case attribute) and groups needs to be defined when this security feature is configured. The image below illustrates the chain between users and cases, how certain users are able to see certain cases when viewing analyses from a QPR ProcessAnalyzer model.

CasePermissions.png

Example: There are groups G1, G2 and G3. Case permissions have been set as follows:

  • group G1 can only see cases where (case attribute) Region is Dallas
  • group G2 can only see cases where Region is Austin
  • group G3 can only see cases where Region is either Austin or New York

QPR ProcessAnalyzer model contains the following cases:

Case name Region (case attribute) Groups can see
A Dallas G1
B Dallas G1
C Austin G2, G3
D New York G3
E New York G3
F New York G3

Thus, when viewing analyses, a user see that the model contains the following cases:

  • If the user belongs to group G1 only, the user can see cases A and B (2 cases)
  • If the user belongs to group G2 only, the user can see case C (1 case)
  • If the user belongs to group G3 only, the user can see cases C, D, E and F (4 cases)
  • If the user belongs to groups G1 and G2 only, the user can see cases A, B and C (3 cases)

There is no way for a user to be aware of the existence of cases that the user doesn't have rights to.