Role

See also: Company value

Value resolver – Abstract

Purpose: Returns the data of a statically selected role.


images/download/attachments/128386859/image2023-2-9_16-15-21-version-1-modificationdate-1675955721208-api-v2.png

The Role resolver retrieves the data of the role specified by static selection for the optional Role parameter (see Roles) from the server.

  • Without any selection for the Role parameter, the return value is 'No value' (null).

  • A new instance of the Role resolver is added without a selection and appears with an 'empty label', as shown above.

  • When an exisiting selection (or the 'empty label') is removed by clicking the 'X' symbol within the label, the combobox appears empty. Saving a configuration with a Role resolver in this state will make the 'empty label' reappear.

IMPORTANT◄ Instead of the Role resolver, an Input object (type safe) resolver for the 'role' type could be used, which is supplied with the ID (id) of a role (e.g. as a static Long value) as input value. Although there are no differences in the runtime behaviour of the two methods, there is an important difference when Lobster Data Platform / Orchestration configurations are exchanged between systems via Meta exchange in the context of implementation. If the Role resolver is used to access a specific role, relevant links between roles (e.g. between test and production systems) are taken into account in the Meta exchange to automatically assign the 'corresponding' role regardless of the ID (id) valid in the respective environment. However, if a role is addressed by a Long value with the Input object (type safe) resolver, then this service does not take effect, which can have a fatal impact on the runtime behaviour of configurations transferred between two systems.

images/s/-95e2zf/9012/8yg2g7/_/images/icons/emoticons/warning.svg CAUTIONimages/s/-95e2zf/9012/8yg2g7/_/images/icons/emoticons/warning.svg The Role resolver is not available in a Client workflow! The reference to a statically determined role can be established in a Client workflow by performing a Search as a substitute. With regard to the Meta exchange, however, it is not guaranteed that the search criteria used will 'find' the corresponding role (according to the Meta exchange links) across systems.

Configuration

In a Combobox element, the optional Role parameter lists all Roles for a static single selection that have read access in the session in which the resolver is configured.

NOTE◄ Neither ownership rights nor Company authorizations are relevant for Roles. Within the scope of the configuration, access is granted to the Role of session and all roles that are directly and indirectly subordinate to it.

At runtime, the resolver returns the data of the role selected in the configuration without considering access restrictions in the applicable login context.

The input value is ignored.

images/download/attachments/128386859/image2022-2-25_8-42-17-version-1-modificationdate-1675955564643-api-v2.png

Examples

Example: Criteria for row formatting in an overview

In an overview for Guest users, all guest user accounts should be given an 'alert status' (color scheme 'white/red') through row formatting (see Row formatting in datagrids) that do not refer to a role explicitly intended for guest users.

In the following example, the two roles XF_GUEST and XF_SPECIAL_GUEST (see screenshot in 'Configuration' section) serve as legitimate roles for Guest users.

Runtime example:

images/download/attachments/128386859/image2022-2-25_8-43-28-version-1-modificationdate-1675955564640-api-v2.png

  • The screenshot shows a data grid in a 'Guest user overview', where the first row displays the 'Alert status' (white/red), because the guest user account in question has been assigned a role that should not actually be used for Guest users.

NOTEGuest users can only be maintained interactively via the default input form, so that specific restrictions for the selection of the role (roleId) cannot be regulated via the Form designer. However, most Guest users are also created automatically (e.g. via Create guest user event action). However, the 'alert status' in the list can also be useful in conjunction with automatic role assignment, e.g. to detect if there are active guest user accounts that deviate from the currently valid positive list for allowed roles.

Configuration:

Within the list settings for the guest user overview, row formatting (see Row formatting in datagrids) is created in the datagrid settings, which defines the 'white/red' color scheme for the 'alert level'.

The 'condition' of the row formatting is formatted as shown on the right:

  • A Field restriction checks whether one of the Roles explicitly intended for guest users is selected in the 'Role' (roleId) field of the guest user account.

  • On the right side of the Field restriction, the positive list of allowed Roles is first created by a Create list resolver. Each entry uses its own instance of the Role resolver, in which an allowed role is selected.

  • A Collect values resolver follows per concatenation, which converts the list of Roles (Rolle[]) into a list of Long values (Long[]) by accessing the 'ID' (id) field of the role via an Object property resolver.

  • Another Field restriction follows within the AND conjunction here, which checks whether the guest user account is 'Active', so that the formatting does not define a 'false alarm' for accounts that are already deactivated.

    NOTE◄ Additional constraints can be added or exceptions can be defined, e.g. to prevent 'expired' Guest users from being alerted.

images/download/attachments/128386859/image2022-2-25_8-46-23-version-1-modificationdate-1675955564636-api-v2.png

Example: Cancellation criteria when saving

In the previous example, the rule violation when selecting a role for a guest user account is handled more strictly in the next expansion stage. This is recognizable by the 'alert status' in the row formatting of the guest user overview:

  • Saving a guest user account with an invalid role (roleId) is effectively prevented by canceling it.

  • An error message informs the user directly on the reason for the cancellation and permitted options for the role selection.

Runtime example:

images/download/attachments/128386859/image2022-2-25_8-50-37-version-1-modificationdate-1675955564624-api-v2.png

Configuration:

An event handler that responds to 'Create' and 'Update' (see Common action event) as Triggering events is configured as shown on the right:

  • The Validating rule first ensures that an entity of the 'Guest user' type is saved.

NOTE◄ Depending on the objective, further criteria could be examined in order to specify the scope of the rule, for example via a Role rule or Company type rule.

  • Within the AND conjunction, an Entity property rule follows below. Its structure basically corresponds to the Field restriction from the previous example:

    • On the left, an Object property resolver accesses the 'Role' (roleId) field of the guest user account stored as the reference object.

    • By combining the In list matcher (below) in conjunction with the negation by the not (Matcher), the Entity property rule is considered to pass if the ID of the role (roleId) is not included in the positive list defined on the right.

    • As in the previous example, the positive list (right) is first constructed starting from a Create list resolver, in which each entry specifies a permissible role via a Role resolver.

    • The Store value as variable resolver following in the concatenation stores the Roles list in variables whiteList, so that the positive list can be reproduced in the error message in case of cancellation.

    • Similarly to the previous example, the Collect values resolver is used below to obtain a list of Long values from the Roles list for matching with the roleId , where the Object property resolver accesses the 'ID' (id) field of the role.

images/download/attachments/128386859/image2022-2-25_8-48-12-version-1-modificationdate-1675955564632-api-v2.png

An Abort is executed as the Action on passed rule, which is configured as follows:

  • The Error type is assigned to 'Notification: Error' so that the message appears at runtime as a 'red flag' in the right margin.

  • In accordance with the randomly chosen Error code SECURITY_GUEST_USER_ROLE_ALERT an entry of the Localization is addressed (see below). The text key used as an Error code is also specified here in the Default error message parameter, which appears in the error message if no localization is found.

  • A parameter is added to the Parameter list that generates a formatted list of role names (roleName) from the contents of the whiteList variable via the Template resolver.

images/download/attachments/128386859/image2022-2-25_9-1-38-version-1-modificationdate-1675955564599-api-v2.png

In Localization, an entry is created in the Resource bundle error for the localization of the error message, whose Resource name corresponds exactly to the Error code (SECURITY_GUEST_USER_ROLE_ALERT).

  • The German field shows the localization for this Locale. To the right is the corresponding definition for the Locale English.

  • In both languages, the reference to the parameter {0}marks the position where the list of allowed Roles from the Parameter defined by the Template in the error message is inserted at runtime.

images/download/attachments/128386859/image2022-2-25_8-52-27-version-1-modificationdate-1675955564615-api-v2.png

images/download/attachments/128386859/image2022-2-25_8-53-4-version-1-modificationdate-1675955564605-api-v2.png