Effective authorizations

With the increasing complexity of company hierarchy, keeping track of Company authorizations becomes a critical challenge. Whether a small number of authorizations are configured to define relations between many companies by inheritance and hierarchical references, or setting up many individual authorizations with limited range is the strategy of choice, does not make much of a difference. In both cases, transparency about the set of authorizations effective for a certain context may be difficult to achieve. Of course, the effectivity of authorizations can always be explored by an experimental approach, e.g. by examining symptoms when trying to access specific objects in different login contexts. However, this method is seriously time consuming.

The monitoring tool 'Effective authorizations' should help to clarify questions regarding effective authorizations in the relationship between companies as efficiency as possible.

Each analysis of effective authorization starts by selecting a Company (1) as a point of reference in the company hierarchy. This choice is limited to companies whose company authorizations can be read in the context of the current session. Therefore, the company of the session and companies owned by it are always valid choices, whereas other companies appear only based on Company authorizations granting read permission for company authorizations.

Next, an indication of which category of permissions to Show (2) for the selected company is required.

For the selected company, Show (2) can be used to evaluate either authorizations granted by this company or 'Granted permissions' received by this company.

Evaluation results are presented in a Tree view as well as a Grid view (3), based on the same data.

The Grid view features the columns Authorizing Company (4), Granted Company (5) and Permission (6), and lists only permissions subject to authorization in rows.

►NOTE◄

  • Depending on the selection for Show (2), one of the columns Authorizing Company and Granted Company is always defaulted to the selected Company (1).

  • The standard grid operations, such as sorting, filtering and exporting are available for data analysis.

►IMPORTANT◄

  • The restrictions on Company (2) selection or the visibility of Company accounts do not constrain the evaluation of effective authorizations. Results always feature all inbound or outbound authorizations for the selected company. The name of the granted or authorizing company appears in these results even if it would not appear in a company account overview within the same session.

images/download/attachments/27690902/image2018-12-7_13-51-11-version-1-modificationdate-1544187073000-api-v2.png

The Tree view presents the same data as the grid, but organized in branches. The following example shows the output for Received grants for a specific Authorizing Company (1).

images/download/attachments/27690902/image2018-12-7_14-27-54-version-1-modificationdate-1544189276000-api-v2.png

By default (see image above) the option Reverse (2) is unchecked. This results in the following sequence of hierarchy levels in tree view:

  • Schema: Relation (Authorizing Company ► Granted Company) ► Permissions (possibly structured in levels)

  • Example: (Vortex Inc. ► Xflow AG) ► (Document ► Read)

With the Reverse (2) option checked, the main segments of the hierarchy, 'Relation' and 'Permissions', which are grouped by brackets, switch positions, whereas the order of elements within each segment does not change.

  • Schema: Permission (possibly structured in levels) ► Relation (Authorizing Company ► Granted Company)

  • Example: (Document ► Read) ► (Vortex Inc. ► Xflow AG)

Together with the sequence of hierarchy level the Reverse (2) option also changes aggregation:

  • In the default hierarchy (the Reverse option unchecked), all effective authorizations regarding the same relation share a branch in the tree.
    As show in above example, the authorizations for Documents and Administration are aggregated in the branch of relation (Vortex Inc. ► Xflow AG).

  • In a reversed tree (the Reverse option checked) all authorizations regarding the same permission would be aggregated.

    images/download/attachments/27690902/image2018-12-7_14-47-51-version-1-modificationdate-1544190474000-api-v2.png

The search function (3) in the tree view can be used to reduce the tree to show only branches containing nodes using a name containing a specified string. In the examples above, the tree was first searched for a company name ('vortex') and in the second example for a permission category ('User'). In the result tree (4), each branch is automatically expanded until the level of the matching node. In the pictures above these nodes were expanded further to show more details.

Selecting a node in the tree view (see the bold text Read in the image below), may produce a line of explanation for the selected effective authorization below the tree:

images/download/attachments/27690902/image2018-12-7_14-55-56-version-1-modificationdate-1544190958000-api-v2.png

This explanation appears only if the level of the selected node is 'deep enough' into the hierarchy to define a unique reference.

►NOTE◄ The list of 'Effective authorizations' only specifies for which permissions between two companies an authorization is effective. It does not provide information on the reasons for this effect. Company authorizations may achieve identical effects by a wide range of approaches and due to access restrictions for a given session an overview of company authorizations may not show all configurations relevant for the 'Effective authorizations' listed. With insufficient access rights and understanding of the configuration options for company authorizations the value of an analysis of 'Effective authorizations' is limited.