First steps
This tutorial for mapping a company infrastructure in Lobster Data Platform / Orchestration is based on the example scenario presented on the front page (see Documentation).
Procedures on this page:
Initial login
By default, Lobster Data Platform / Orchestration provides exactly one user (see Users) who is granted full access to all data and functionality by the default role 'Super User' (see Roles). But more about this later.
Enter the Username 'admin' and the predefined Password admin123 in the login dialog. By clicking on the Login button, you can then start a session with the user 'admin' to make initial administrative settings.
The user interface of Lobster Data Platform / Orchestration initially shows only the MENU (1) on the left side of the screen, which provides quick access to the various functions of Lobster Data Platform / Orchestration through one of the menu items offered.
The combination of menu items offered in this menu bar may differ from the screenshot. It is generally variable and depends on the following factors, among others:
Permissions for the role used
Availability of optionally licensable modules (e.g. Documents in the screenshot)
Dynamic assignment of specific configurations (Custom overviews, Input forms, Portals, etc).
For the next step and the maintenance of Roles and accounts for Users and Company accounts, only the menu item Administration (2) is of interest.
►NOTE◄ The '>' symbol on the right of a menu item indicates that further menu items are available in a submenu. The parent menu items are superceded by the submenu item if the '>' symbol is clicked on. Submenus can be nested in several levels, so that a menu path is created and a specific view is always opened when clicking on it.
Set up roles
In Lobster Data Platform / Orchestration, the permissions available to the user within a 'login', also called a 'session', depend on the 'role' (see Roles) used.
Any number of such Roles can be created in the Lobster Data Platform / Orchestration system. The permissions assigned to each role can be configured in detail.
►NOTE◄ The system does not manage permissions individually for each user, apart from the possibility of creating a 'personal' role for each user, which is assigned exclusively to each user. However, this would only be 'good practice' in exceptional cases.
The Roles already created in the system can be listed as an overview via the menu path Administration/Accounts/Role overview:
►NOTE◄ The '<' symbol in the title of a submenu (here: ADMINISTRATION and ACCOUNTS) can be clicked to switch to the parent menu. The house symbol to the left of it allows you to return directly to the main menu (MENU).
Display role overview
As previously mentioned, the role 'Super User' (1) is already created in the delivery state of Lobster Data Platform / Orchestration. This is also the role assigned to the initially provided Users 'admin'. When logging in with the role 'Super User', Users have unlimited rights in the system. They can also have full access to all data of all companies without having to set up permissions. Even if this 'total access' can technically simplify the setup of a new system, on the other hand, due to the lack of demarcation, it is easy to lose the overview regarding visibility and data access for less 'privileged' users (including the operational administrators), whose needs the system should ultimately meet. For this reason, it is recommended to define a separate role for limited administrative purposes before starting the actual configuration of a system. It is then possible to avoid login with the user 'admin' and the role 'Super User' completely.
A new role can be created within the role overview by clicking the button New (2) in the menu ribbon, which is also called 'Ribbon' in Lobster Data Platform / Orchestration.
Create 'Administrator' role
In the example scenario, the newly created role is given the Role name 'Administrator'. The Role description can be optionally filled in. The role is already Active by default, so that it can be used in logins.
Each role must refer to exactly one Parent role. When a new role is created, the role of the session is preset if no other role is selected.
►NOTE◄ When changing a role already created by 'Save', a Parent role must always be selected, otherwise saving the changes will be prevented with an error message.
Users of a parent role have access to all directly or indirectly child roles. However, the definition of the parent role must also grant specific permissions for handling Roles (e.g. 'Edit') in order for this access to be effective.
To restrict the role 'Administrator' in contrast to the role 'Super User', the tab changes from Role to Permissions:
►NOTE◄ The nodes for Document and Incidents appear only if the corresponding modules are licensed and installed.
Here the Mode for managing permissions can be selected:
By default, the 'All' mode is assigned to the 'Super User' who should be granted access to all permissions and data (or entities) in the system.
The 'All but consider owner restrictions' mode also provides qualitative access to all permissions. However, unlike 'All', the exercise of rights in connection with entities is only allowed if the ownership structure is observed. This can result in access restrictions for entities for which the company of the session is not the owner, unless it gains access as a recipient of a company authorization or as a company involved in a business object.
In 'Custom' mode, permissions for a role can be selected or deselected individually or in groups.
For the new role 'Administrator' we could select the mode 'All but consider owner restrictions'.
For demonstration purposes, however, the Mode 'Custom' should be selected and configured to correspond to the Mode 'All but consider owner restrictions'.
|
|
If the 'Custom' Mode is selected, the Permissions area below the selection field appears active: The input field with the 'magnifying glass' symbol offers a search function for permissions. Below, the individual authorizations appear grouped hierarchically, in a tree structure. By default, only the elements of the highest hierarchy level appear, which can be expanded by clicking on the [+] symbol. In order for an administrator to be able to use 'all' permissions, all available checkboxes are set here first. This gives access to all permissions in the respective 'branch' of the tree structure, by opening it. |
|
|
Up to now, the configuration corresponds to the 'All' Mode (for the 'Super User' role), since the blanket granting of permissions at the top level of the hierarchy also grants the Ignore owner restriction permission. This is offered for all entity types in the system for which access requires ownership (or sharing or participation). The image on the left shows the branch for the entity type 'Document' unfolded, which contains the permission Ignore owner restriction. As long as this permission is selected by checkbox, the other permissions selected under 'Document' apply to all documents in the system when the role is used. If the checkmark for Ignore owner restriction is unchecked, the other permissions granted by the role for documents in a specific login context are only valid for documents that the 'logged on' company owns itself or for which the owner has granted the appropriate permission. |
|
|
Now all permissions of this type should be deselected, so that the 'Custom' Mode corresponds to the Mode 'All but consider owner restrictions'. Access to multiple permissions of the same type can be accessed quite efficiently by first performing a search (1) for a suitable keyword ('ignore') to filter the permission tree as shown in the image on the left. The tree view then only shows the 'branches' with the permission 'Ignore owner restriction'. Remove the check from the search results checkbox (2) so that all permissions of the searched type are unchecked with a single click! |
|
|
When the search term 'ignore' is removed from the Permissions search function, the tree structure reappears in the overview. The appearance of the checkbox for all nodes except 'Help' now indicates that the respective branch of the hierarchy contains both selected and deselected permissions. In the 'Help' branch, the permission 'Ignore owner restriction' simply does not appear, so that all permissions are still considered granted. |
By clicking on Save in the ribbon, the new role is create:
It will appear immediately as an additional element in the list of the Role Overview:
Set up companies
Now, for example, in order to set up an account for the company 'Smart Logistics AG', which as the 'operator' of the Lobster Data Platform / Orchestration system should be at the top of the company hierarchy (see Tutorial).
The menu path Administration/Accounts/Company account overview opens an overview of all the Company accounts that have been already created:
Company overview
The Lobster Data Platform / Orchestration system contains exactly one company per installation, for which the Name 1 (1) 'Default Company' is preset.
The reason for this default setting is that every Users account (including the one for the 'admin') must be linked to at least one company. A login to the system is only possible with a complete login context (user, role and company).
The creation of a new company starts again with the New (2) button in the ribbon.
Create company
In the following, the entry form for creating a new company is shown. In the context of this general introduction, the Company tab is in the foreground, which contains structural and representative data for the company.
The structural data includes, for example, multiple selections for Parent companies (here: empty) and Company types. Representative data are details such as company name, account number, postal address, etc.
Since the company 'Smart Logistics AG' from the example scenario has no parent company, the Parent company (1) field remains empty.
The Company types (2) field defines which types of 'participation' in process covered by Lobster Data Platform / Orchestration are foreseen for a certain company. Each Company type assigned here may serve as a crucial criterion for defining specific applications. For example, there may be selection fields in forms that only appear, if the account of the company of the session refers to the Company type 'Freight forwarder' (possibly next to others).
Background on company types
The Company types field here refers to a so-called dynamic enumeration. Dynamic enumerations are counted to the 'master data' in Lobster Data Platform / Orchestration. Each dynamic enumeration contains a list of values, which usually define possible values for a certain characteristic of an object. The enumeration for the Company type is a dynamic enumeration predefined by the system, which already contains certain values during installation. The list can be adapted as required and, above all, extended as needed. In doing so, each entry must be identified by a unique internal name. By default, the enumeration Company type uses identifiers consisting of three capital letters for the internal name. The label 'Freight forwarder', for example, hides the internal name 'FWD'.
The label visible to users for each Company type is defined via the Localization or Company specific localization. The text defined there for a specific language is also called localization.
The internal Name is relevant for internal processes, e.g. if the Company type is assigned or interpreted via the interface. It defines the 'Company type' independently of the language in the context of an application.
|
In the company overview, the Multiselect combobox box for Companies does not display the internal names by default, as this form is more oriented towards the information needs for end users:
|
Within configurations (e.g. Company type rule, see below), the label usually appears in conjunction with the internal name when a company type is selected. It will then also be taken into account by the search function, if necessary:
|
In the example scenario, the following Company types (2) are assigned to 'Smart Logistics AG':
Receiving freight forwarder
Issuer of invoice
Freight forwarder
Shipping freight forwarder
In the other tabs of the form, additional information such as Communication infos (such as telephone numbers or e-mail addresses), Contacts, etc. can be entered (see Address book entries).
After clicking the Save button in the ribbon, the new company 'Smart Logistics AG' is created in the system (see image below):
As already mentioned before, it is not advisable to create the entire company hierarchy in the context of a login with the 'Super User' role.
Since the main company in the example has now been successfully created, a user should now be created for this company, which continues the configuration in the context of this company and with the prepared role 'Administrator'.
Create user
To create the new 'Administrator' user, you must navigate to the 'User Overview', which can be found in the menu path Administration/Accounts/Users:
Show user overview
The 'Users' overview lists all Users that are already created in the system. At the beginning only the predefined user 'admin' with the role 'Super User' (1) appears.
To create a new user as 'Administrator' for the company Smart Logistics AG, click the button New (2).
Create users
In the example, the 'Administrator' of the company 'Smart Logistics AG' is the managing director 'Jonas Abend' with the Username (1) jabend and the Password (1) jabend123!.
In the main category Administration (2) of the ribbon, the company 'Smart Logistics AG' must be selected as the owner of the user account under Change owner.
►NOTE◄ Without this customization, the default entry ('Own company') for the owner when creating the user account would be replaced by the company of the session (here: 'Default Company'). Then the user account for 'Jonas Abend' would not appear in a user overview if the company 'Smart Logistics AG' is the company of the session. Since the user should have access to his own account in his role as administrator without having to log in to the 'Default Company', obviously to transfer the ownership of this account to 'Smart Logistics AG'. Within the current session (in the context of the 'Default Company'), the user account nevertheless remains visible. However, this is only because the role of the session ('Super User'), grants full access without observing 'owner restrictions'.
The selected Language determines the language in which user interface labels appear when the user logs in. Both the language setting and the password can be changed later by the user.
The new user is assigned the newly created role 'Administrator' under Roles (3), which grants unlimited permissions, but – in contrast to the role 'Super User' – only applies after the consideration of 'owner restrictions'. Several roles can also be entered here, from which the user must then select a specific one each time they logs in.
The field Companies (4) defines the context in which the user is allowed to log on to the system. If several companies are entered here, the user must make a selection for the respective session when logging on to the system.
In addition to the name and address data (5), additional information can be maintained for the user via the other tabs (see Users).
After clicking the Save button in the ribbon's main Common category , the user is created in the system (6) and can log on to the system.
Now a user exists who can use a role with 'owner restrictions' in the context of the company 'Smart Logistics AG'. Therefore, the login as user 'admin' with the role 'Super User' can be terminated as shown below:
►IMPORTANT◄ For further system configurations the newly created user 'jabend' should now be used (if not described otherwise).
► Continue with Creating company structures