Roles
The Roles menu item can be found in the Main menu via the ‘Administration/Accounts’ menu node, provided there are sufficient permissions.
By default, it opens an overview for the ‘Role’ (Role) entity type, which lists all Roles that the Role of session can access.
View name: de.lobster.scm.base.security.role::Role|listDetailsWindow
Menu node name: admin/accounts/roleOverview
Access to Roles is regulated by the permissions for the ‘Administration/Accounts/Roles’ node ((administration/accounts/role).
The Roles menu item only appears if the permission ‘Show’ (show) is available for Roles.
In contrast to other entities, only their position in the role hierarchy is decisive for accessing Roles.
Although an ‘owner’ (ownerId) is formally identified for each entity of the ‘Role’ type, there are effectively no owner restrictions for this entity type.
If the Role of session takes owner restrictions into account, there is only access to Roles that belong to the hierarchy downwards from this one because they are directly or indirectly subordinate to it.
►IMPORTANT◄ Write access for the Role of session is not permitted if it does not have the 'Ignore owner restrictions' permission for Roles .
Without this permission, the ‘Save’ and ‘Delete’ ribbon buttons appear disabled if the Role of session is selected. On the other hand, ‘Update’ is also prevented in the automation context (e.g. via Save changes later ) if it affects the Role of session .
Even with the 'Ignore owner restrictions' permission for Roles , updates to the Role of session are restricted. Changes to the ‘Parent role’ ( parentRole ) field and to the permissions ( flatPermissions ) are ignored on ‘Update’.
As already described in the Users section, the effective access rights within a session result from the permissions for the Role of session and – if owner restrictions are relevant – the ownership structure and, if applicable, Company authorizations for the Company of session.
The Role of session categorically decides which permissions should always be available and, above all, which are always excluded.
In order for permissions that relate to entities (such as 'Update' for Users) to be used effectively, access by the Company of session to the individual entity must be guaranteed in addition to the basic permission for the Role of session. This is of course only the case for entities for which the Company of session is the ‘owner’. All access to entities owned by other Companies/Clients requires Company authorizations. Special cases are entities to which no owner is assigned and special entity types (certain master data, e.g. also the ‘roles’) for which no ‘owner restrictions’ apply by definition. In both cases, permissions granted by the Role of session can be exercised regardless of the Company of session.
With regard to entity types for which ownership restrictions are fundamentally relevant, the Company of session (via ownership and, if applicable, Company authorizations) determines the scope in which the associated permissions of the Role of session can be exercised.
The permission structures for the definition of Roles and Company authorizations are largely similar, so that the overlaps (see example) can be easily understood and efficiently managed.
However, the role definition also includes purely functional permissions (e.g. access to administrative tools) that are not covered by Company authorizations. Conversely, approvals can occasionally be granted for permissions that are contained in the permission structure of Roles.
Specific example:
A Role of session is used that allows a user to Read and View entities of the ‘Aircraft’ (Custom entity type in namespace custom) type, but not to 'Update', 'Create', 'Delete' (etc.).
The Company of session is authorised by another company to not only Read but also Update the data of ‘Aircraft’ entities in its possession.
In this constellation, the user effectively has the following accesses for ‘Aircraft’ entities in the context of the logged-in session:
The View role permission allows the user to open an overview for the ‘Aircraft’ type.
Due to the Read company authorisation, the overview lists not only custom ‘Aircraft’ entities (owned by the Company of session), but also those owned by the releasing company.
The Update company authorisation is effectively ineffective, as the user is not allowed to update custom ‘Aircraft’ entities without the corresponding role permission.
|
Permissions for Role of session |
|
|
Role of session permissions for ‘Aircraft’ entities :
|
Another company grants the Company of session the following permissions, among others, for the ‘Aircraft’ entities in its possession in the context of a company release:
|
|
Permissions granted by Company authorizations (here: Read, Update) can only extend the scope for permissions granted by the Role of session, which relate to access to entities with owner restrictions, quantitatively (here: Read) but cannot supplement qualitatively ‘missing’ role permissions (here: Update). ►NOTE◄ The permission to View only controls access to menu entries in the Main menu for the 'Aircraft' entity type, so owner restrictions for individual entities do not play a role. Otherwise, this permission would also exist in the tree for company authorisations. |
|
By default, the interactive administration for Roles is based on a combined view (listDetailsWindow), which can be opened via the Roles menu item in the Main menu.
The following screenshot shows the default ribbon (for a role with all relevant permissions), below the default input form with the details of the role selected in the list area (at the bottom).
Contents of the default input form
The data input form provided as default for Roles maps the contents of the data structure for Roles relevant for direct interactive maintenance via Form elements.
|
Field |
Data field path |
Example values |
Contents |
|
Active |
active |
$true (boolean) |
The Active checkbox must be ticked so that a role can be used to log in to a session. |
|
Role name |
roleName |
'Admin (accounts)' |
The Role name must be unique throughout the system. Saving is otherwise rejected with an error message. |
|
Localisations German English French |
Localization or Company specific localization can be used to optionally define localisations for role names that override the Role names in selected contexts (e.g. role selection when logging in for Users). The associated bundle is called role name. The Role name (roleName) is used as a resource. Localisation entries for Roles are not automatically generated. To make it easier to localise Roles, the input form provides a text field for each supported Locale, which can be used to create, update and delete localisations.
►NOTE◄ Company specific localization is not mapped to the text fields in the input form, but may still influence the output in the Translation column in the list area if it affects the Current locale. Maintenance is carried out exclusively via the Company specific localization menu item. |
||
|
Parent role |
parentRole |
'QTIP', 'Hidden role' |
Single selection for the Parent role that localises a role in the role hierarchy. |
|
►NOTE◄ The label ‘Hidden role’ appears in the Combobox element for Roles that are already assigned and can therefore be removed in the context of the current session but cannot be selected again afterwards. If owner restrictions are relevant for the Role of session, only Roles from the role hierarchy downwards from the Role of session are available as Parent roles. ► IMPORTANT ◄ A role with a Parent role indicated as "Hidden role", may be updated but not created. This may be a relevant constraint for copying an existing role. It may be necessary to replace a hidden Parent role by one that can be selected, to enable saving the copied role. ►NOTE◄ The Parent role column in the list area will always feature the Role name, even for roles indicated as 'Hidden role' in the Combobox. This may sound strange, but that's the way it is. After all, the intention of hiding a role is not to conceal the Role name, but to limit eligible options. |
|||
|
Role description |
roleDescription |
"Administration of user accounts" |
A Role description describing the designation of a role in plain text is optional. |
|
Mode |
flatPermissionNames[] |
|
|
|
Permissions |
|
|
|
Details for permission mode 'Custom'
Permissions are granted or denied by checkingor unchecking them in the permission tree. The tree view applies the individual permissions over several levels, which can also be selected or deselected as a whole.
|
|
One of the following three status applies for each group node in the tree:
►IMPORTANT◄ The tree view only contains permissions (and parent group nodes), that are 'granted' to the parent role, according to its current definition. The indication of group node status – as described above – considers only elements of the tree that are present in the current structure. This restriction also applies, when the the tree is filtered by a search as described below. By entering a string into the search field triggers a search for permissions or group nodes with matching labels. The search is started by the 'Enter' key and reduces the tree view to branches containing a match. Permissions or group nodes presented as search results can be checked or unchecked. The full tree view can be restored by clearing the search field and pressing 'Enter' or clicking the 'x' symbol, that replaces the magnifying glass icon left of the search field, when search results are displayed. |
|
►NOTE◄ As show in the screenshot, the string in the search field may contain RegExp control characters ^ (for beginning of text) and $ (for end of text), to control the matching logic of a search: |
|
|
|
Without control characters, elements in the permission tree are considered as matches if their label contains a given search string (here: aircraft) with non-case-sensitive matching. As shown in the screenshot on the left, this produces additional matches, since the tree contains another node with permissions for the Input forms for the 'Aircraft' entity type in the 'Configuration' group. To avoid the unwanted match of 'custom_Aircraft', entering ^air as a search string (→begins with 'air') would have been effective. In contrast, entering craft$ as a search string (→end with 'craft') would have produce the same two matches as shown in the screenshot. ►NOTE◄ Even if the two control characters used in the example might suggest otherwise, more complex RegExp expressions are not processed as search strings. |
CAUTION
If the scope of permissions granted to a role is reduced, respective permissions are also effectively denied for direct and indirect child roles. Consequently, these roles disappear from the tree views for those roles. However, if a child role had been explicitly granted a certain permission before, that definition remains latently assigned, as long as the child role definition is not updated. In this case, reassigning the permission to the parent role or assigning a new parent role with the respective permission granted, will immediately grant any 'latent' permissions to the child role again.