Roles and Permissions: Difference between revisions

QPR ProcessAnalyzer has a role-based access control, where all operations require appropriate rights in order to be executable. rights are given to users and user groups by assigning users or groups to roles, where roles are a collection of permissions. Permissions are fixed in QPR ProcessAnalyzer and there is a fixed list of operations behind a permission what user can do. Roles can be bound either to projects or be global, which means that that role (and its permissions) is applicable for all the contents in the system. Users belonging to a user group, have always all the roles assigned to that user group.

Global Roles

Global roles concern the whole QPR ProcessAnalyzer system and they are not bound to any specific projects or models. When using the Manage Users dialog, global roles can be assigned when <All> is selected from the project list.

By default, QPR ProcessAnalyzer database contains the global roles that are shown as columns in the following tables. The roles have been mapped to certain permissions that are describled in the following table.

Permission	Examples of operations	(Global) Administrator	ModelCreator	Evaluator (*)	RunScripts
GenericRead	View model contents, i.e. open models. Open analyses for models. See own private and published filters.
GenericWrite	Edit models, e.g. create filters. Import new data to models
DeleteModel	Delete models and datatables
CreateModel	Create models and datatables
ResetDatabase
Filtering	create new filters
ManageUsers	administrate users, e.g. create new users.
ManageOperations	access to the Operation Log and terminate in progress operations
ManageViews	administrate Views. View Filters in a model.
ManageReports	administrate Bookmarks. View Filters in a model.
ManageProject	administrate projects
ManageIntegrations	make use of integration operations, such as manage Datatables
RunScripts	Run scripts
ManageScripts

Examples of operations, that different roles can perform.

	(Global) Administrator	Model Creator	Evaluator	Run Script
Create Project
View Project
Edit Project
Permanently Delete Project
Create Model	Unlimited	Unlimited	Max. 10 models
View Model
Import Data into Model	Unlimited	Unlimited	Max. 10 models with max. 1000 events, 300 event attributes and case attributes each
Create Filters / Analyze Model
Permanently Delete Model
Create Data Table	Unlimited	Unlimited	Max. 10 data tables
View Data Table
Import Data into Data Table	Unlimited	Unlimited	Max. 10 imported data tables with max. 1000 rows and 300 columns each
Delete Data Table

• Evaluator and ModelCreator get the project level Administrator role for the projects that they create. They can delete models in the projects where they are administrators.
• Models created by an Evaluator inherit the restrictions the current user has. These restrictions are in effect for all the imports targeting that model, no matter who is doing the import.
• Users with global level Administrator or ModelCreator role can always import new data into any model without restrictions. Note, however, that a user cannot import more data than what is allowed by the product activation limits.

Project Roles

By default, QPR ProcessAnalyzer database contains the roles that are shown as columns in the following tables. The roles have been mapped to certain permissions that are describled in the following table.

	(Project) Administrator	Analyzer	Designer	Viewer
CreateModel
DeleteModel
Filtering
GenericRead
GenericWrite
ManageIdeas
ManageIntegrations
ManageOperations
ManageProject
ManageReports
ManageScripts
ManageUsers
ManageViews
RunScripts

	(Project) Administrator	Analyzer	Designer	Viewer
View Project
Edit Project
Delete Project
View Model
Edit Model
Create Filters / Analyze Model
Import Data into Existing Model
Delete Model
View Data Table
Import Data into Existing Data Table
Delete Data Table

Group Roles

	Administrator (Group)	Member	Hidden Member
Add/Remove Group Members
Create Users to Group
Add/Remove Project Access Rights of a User
Open Model Accessible to Group Members
See Unhidden Group Members
See Hidden Group Members

If a group member is a project level Administrator, the user can add and remove project specific access rights for the group or for any individual member of the project.

Additional Restrictions for Evaluator Role

Evaluator has the following additional restrictions:

• Maximum number of models: 10
• Maximum number of event in a model: 1000
• Maximum number of event attributes in a model: 1000
• Maximum number of case attributes in a model: 1000
• Maximum number of integration tables: 10
• Maximun number of rows in an integration table: 1000
• Maximun number of columns in an integration table: 1000

Filter Permissions

Filters can see his/her own private and published filters in a model, if the user has GenericRead permissions for the model the filter belongs to. In addition, user can see filters, if he/she has ManageReports or ManageViews permission for the project the model belongs to.

Model Permissions

Creation

New model can be created only by users having global CreateModel access right. When creating a new model, model size restrictions (maximum number of events, case attributes and event attributes allowed by user's roles) are copied from current user and stored for the Model. This is done in order to prevent global evaluator user from creating a project administrator user (after creating an user group) and using that to import more data into the model created by the evaluator user than is allowed by evaluator user's role.

Importing new data

New data can be imported into a model by any user having global or project specific GenericWrite permission. User may never import more data than is allowed by product's activation. Model specific data quotas are ignored for users that have unrestricted global CreateModel permission. Users that have restricted global CreateModel permission (e.g., global evaluators) or users that don't have any global CreateModel permission may only import the amount of data into a model specified in model's own restrictions.

ETL Scripting Permissions

For viewing scripts, the Global RunScripts is needed. All scripts linked to the current context are available to be viewed provided that the current user has permission to see the scripts in the context. The required permissions by context are:

• System context: No additional requirements.
• Project context: GenericRead permission for the project.
• Model context: GenericRead permission for the project of the model.
• User context: If the script is linked to current user, then no additional requirements. If the script is linked to a group the current user belongs to, no additional requirements. If the script is linked to other users or user groups, global ManageScripts permission is required.

If Hide Script Details is set for the script, only users with modify permissions for the script can see the script code and log.

For script creation, modification, deletion and export, the following permissions are needed depending on the script context:

• System context: Global ManageScripts, Global RunScripts
• Project context: ManageScripts for project, Global RunScripts
• Model context: ManageScripts for project of the model, Global RunScripts
• User context: Global RunScripts and if the script is linked to a user group the user belongs to, GroupAdministrator user group role is required.

For running script the the Global RunScripts and view permissions are needed

Integration Table Permissions

Integration tables are linked to a single project. Permissions for that project are used when determining the permissions for accessing its integration tables. ManageIntegrations and GenericRead permission are required in order to be able to see integration tables.

ManageIntegrations and GenericWrite permission are required in order to be able to create and modify integration tables.

It is possible to give quotas for users bound to roles for the following attributes related to integration tables:

• Maximum number of created integration tables
• Maximum number of rows in created integration table
• Maximum number of columns in created integration table

DataTable Permissions

Creation

New data table can be created only by users having global CreateModel permission. When creating a new data table, data table size restrictions (maximum number of rows and columns allowed by user's roles) are copied from current user and stored for the data table. This is done in order to prevent global evaluator user from creating a project administrator user (after creating an user group) and using that to import more data into the data table created by the evaluator user than is allowed by evaluator user's role.

Importing new data

New data can be imported into a data table by any user having global or project specific GenericWrite and ManageIntegrations permissions. CreateModel permission is required if the user is not appending to an existing data table (is overwriting already existing data table). User may never import more data than is allowed by product's activation. Data table specific data quotas are ignored for users that have unrestricted global CreateModel permission. Users that have restricted global CreateModel permission (e.g., global evaluators) or users that don't have any global CreateModel permission may only import the amount of data into a data table specified in data table's own restrictions.

Viewing

In order to view created data tables, the following global or project specific permissions are required: ManageIntegrations, GenericRead.

Miscellaneous Operations Permissions

• Create a new model and project: Global CreateModel permission. Administrator role is given for the user into the created project (and thus also model).
• Add a model into project: CreateModel permission for the target project. Model is moved into target project and all old permissions are replaced by the permissions for the target project.
• Remove a model from a project: DeleteModel permission for the project from which the model is removed.
• Create a new model into existing project: Global CreateModel and CreateModel permission for the target project.
• Move a model from a project to another: GenericWrite and DeleteModel permissions for the source project and CreateModel permission for the target project.
• Making modifications to a project object (renaming, deleting, restoring, changing description): ManageProject and GenericRead permissions for the project.
• Moving a project into recycle bin: DeleteModel and ManageProject permissions for the project.
• Restoring a project from recycle bin: Global GenericRead, CreateModel and ManageProject permissions.
• Deleting a project from the database: Global DeleteModel permission and ManageProject permission for the project.
• Creating a copy of a project: Global CreateModel permission and GenericRead and ManageProject permissions for the project.
• Creating an integration for a project: CreateModel permission for the project.
• Creating an integration job for an integration: GenericWrite permission for the project.
• Importing integration data into an integration job: GenericWrite permission for the project.
• Querying integrations and integration jobs: GenericRead permission for project the integration belongs to.
• Modifying existing integration or integration job objects: User has created the object and has GenericWrite permission for the project or user has ManageIntegrations permission for the project.
• Deleting existing integration objects: User has created the object and has DeleteModel permission for the project or user has ManageIntegrations permission for the project.
• Deleting existing integration job objects: User has created the object and has GenericWrite permission for the project or user has ManageIntegrations permission for the project.

See Also

• Case Level Permissions Control
• Manage Users in QPR ProcessAnalyzer Excel Client
• How to Publish Analysis Results to Others