Permission management
Global view
The add-on is configured to manage permissions using one of the following modes:
Based on the EBX® permissions applied to the data, or
Based on additional permission management provided by the add-on.
The mode is configured in each user profile, as illustrated below.
Special notation: | |
|---|---|
| When a user profile is not configured in the Default permission of the add-on, then that user cannot access the add-on's services. It is possible to configure whether execution and query operations are permitted. |
When the add-on is configured with only EBX® permissions, a user cannot execute or query the indicators applied to data that are restricted by EBX® (that is, if the user has neither read nor read-write rights). For example, if a user has no rights on an Employee table, that user cannot execute or query any of the indicators on this table. However, in certain cases, by using the permissions provided by the EBX Insight Add-on, access restrictions on a data do not necessarily mean that the user cannot execute indicators and query the results on this data.
Special notation: | |
|---|---|
| The EBX® permission is used to configure the rights applied to the reporting tables Big data report, Indicator report and Indicator value. |
| The indicators executed by triggers don't need to be constrained by user permission rules. |
Applying EBX® permissions only
To use only EBX® permissions, the Use Insight permission property is set to False in the Default permission table. With this configuration, the ability to query and execute indicators is as follows:
Operation | Permission |
|---|---|
Query | All indicators are available through the UI query and the results are filtered depending on user rights. When the user has neither 'read' nor 'read-write' on a Data Element Concept (D.E.C.), then the related results are not displayed. For indicators of type Workflow they are systematically offered at the level of the reference dataspace. |
Execute | An indicator is available to be executed by a user with 'read' or 'read-write' permissions on the related Data Element Concept (D.E.C.). For indicators of type Workflow they are systematically offered at the level of the reference dataspace. To execute the indicator on a workflow, the user must be at least a participant in this workflow. |
Table 5: Execute and query - Applying EBX® permissions
Permissions extended by the add-on
To extend the EBX® permissions, the Use Insight permission property is set to True in the table Default permission.
With this option, the EBX® permissions applied to the Data Element Concept (D.E.C.) are extended with the permission declared through the add-on. This means that a user who has no rights on a D.E.C. can be authorized to execute and query indicators on this D.E.C..
This procedure does not bypass EBX® permissions with regard to the ability to read and write the data belonging to this D.E.C., only the right to execute the indicator on the D.E.C. and to query the results. The results are then displayed by regular views in EBX®, which take into account standard permissions (Big data report, Indicator report and Indicator value).
For example, a user User01 has no rights on the Employee table. This user cannot modify or read any data in this table. In the add-on, the Number of working hours per month indicator is applied to the Employee table. The permissions defined in the add-on then extend the EBX® permissions to allow User01 to execute and query the results of the Number of working hours per month indicator on the Employee table. This permission at the add-on level does not change the fact that the user User01 cannot access the Employee table data.
With this configuration, the query and the execution of the indicators is as follows:
Operation | Permission |
|---|---|
Query | Only the indicators that are configured with the permission 'Query' = 'Yes' are available through the UI query. For indicators of type Workflow, the configuration 'Indicator permission by D.E.C.' is not applied since these indicators are not reliant on D.E.C.s. |
Execute | Only the indicators that are configured with the permission 'Execute' = 'Yes' are available through the UI query. For indicators of type Workflow:
To execute the indicator on a workflow, the user must be at least a participant in this workflow. |
Table 6: Execute and query - Applying add-on permissions
The configuration is based on two concepts highlighted in the table below.
The two configuration concepts for the permission management | |
|---|---|
Indicator ('Indication permission') | When an indicator is not configured, its permissions are the ones defined by 'Default permission'. For example, the user-profile 'UPF01' is configured with 'Query' = 'Yes' and 'Execute' = 'No'. If the 'Number of records' indicator is not configured under permissions management, this indicator is available to query but not to execute. When an indicator is configured, its permissions are no longer the default permissions. For example, for the same user profile as above, if the 'Table last modification date' indicator is configured with 'Query' = 'Yes' and 'Execute' = 'Yes' with a restriction on the dataset 'DS01', this indicator is available to query and can only be executed in the dataset 'DS01'. |
Indicator by D.E.C. | For an 'Indicator permission', it is possible to restrict permissions to one or multiple Data Element Concepts (D.E.C.). When no 'Indicator by D.E.C.' is defined for an 'Indication permission', all D.E.C.s are permitted. |
Table 7: Execute and query - The configuration concepts for the permission management