Setting up Permissions: Examples
Prior to creating new Roles and adding Operations (permissions) to the Role, you should check to make sure that a Role has not already been created with the desired Resources and Operations. There are several predefined Roles within iTopia that you can apply to the users at your location. You should have an Excel spreadsheet that lists all of these Roles and the resources (views) contained in each Role. You can also determine which resources are available in each Role by entering a Role Name in the Search Criteria in the Role Master Permission table.
Some resources may be listed in multiple Roles but the operation (permissions) may vary. In the following example we have searched for the Resource Name ibis_ici1. All of the Roles assigned to this resource are displayed along with the assigned Operations (permissions):
- The 'ibis_cs', 'ibis_in' and 'ibis_pr' Roles are only assigned the execute and read Operations.
- The 'ibis_administrator' Role is assigned the customize, execute, export, grant and read Operations.
- The 'ibis_pm' Role is assigned the customize, execute, export, and read Operations.
From this listing you can determine the Roles that are best suited for your users.
Note: You should never assign a user the 'ibis_administrator' Role. This Role is reserved for the system user only. Not only does this Role give the owner of the Role permissions to all resources (views) but also to the UMS tables in iTopia.
You may modify any of the existing Roles as you see fit or you can create new Roles and assign the appropriate resources and operations.
The following examples guide you through setting up a new Role with resources and permissions using existing group and individual resources as well as maintaining an existing Role that include adding and removing resources and permissions using the Role Master-Permission table.
- Setting up a new Role with resources and permissions using existing group and individual resources:
In this example we add some of the resources (both group and individual) that are included in the Product Inquiries (IC45) resource to a new Role called 'ibis_example', created in the Role Master.
- Determine the group resources that are required. In this case, we will need the 'ibis_product_menu' (Products) and 'ibis_product_inquiries' (Product Inquiries(IC45)) group resources.
- Select Create on the Role Master-Permissions view.
- Enter the Role name in the Role Name field, in this case we will enter ibis_example.
- Enter the group resource in the Resource Name field, in this case we will enter ibis_product_menu.
- Enter execute in the Operation Name field.
- Click Submit.
- Repeat these steps for the 'ibis_product_inquiries' resource.
This Role is now ready to be assigned to users through the User Master–Role view.
Note: If you want all of the Related resources that are normally displayed and accessible on the Details page of the of the two individual resources above, you need to apply permissions to the Related Resource Group as well as to the individual resources within the Related Resource Group.
Special Note: There is no need to assign permissions to look up fields that are used as Search Criteria in a view that a user would not normally have access to. iTopia automatically assumes that the view accessed through the look up is executable only. In the example above, the user that the 'ibis_example' Role was assigned to has no permissions to the tables 'ibis_ici1' (Product Master(IM13) or 'ibis_sucu' (Account Master), however, the user can still access the look ups for the Product Code and Customer Code in the Product Inquiries-Invoice Lines by Customer(IC45/I2) view.
- Maintaining an existing Role:
In this example, we will delete a resource and add an operations to an existing resource for existing Role 'ibis_example'.
- Determine the resources and permissions that are included in the role by entering the role name in the Role Name search field of the Rose Master-Permissions view.
- The Role Master-Permission view is sorted by Role Name, Resource Name and then by Operation Name. In order to make it easier to view the resources and associated operations, you should sort the table the Resource Name by clicking on the table heading Resource Name.
- To delete a resource and the assigned operations (in this case we will delete all of the records for 'ibis_v_oeoop.ic45_i1_orders_quotes'), select the check boxes next to the resource and then select Delete from the 'Use Selected Records as Criteria for Action' icon
. The selected records are removed.
- To add an Operation for an existing Resource you will need to Create a new record. In this case we are going to add the Export operation to the Resource 'ibis_inidp.ic45_i2_inv_lines_by_cust'.
- Click Create and enter the Role name (ibis_example), Resource Name (ibis_inidp.ic45_i2_inv_lines_by_cust) and Operation Name (export).
- Click Submit.
The Role now only contains the individual Resource 'ibis_inidp.ic45_i2_inv_lines_by_cust' with the applied Operations and the two Group Resources ('ibis_product_inquiries' and 'ibis_product_menu')
- Setting up Resources and Permissions to a User ID:
Since Role Names also include User IDs, it is possible to add resources and permissions directly to a user instead of applying the Resource to a Role and then applying the Role to the user. This is not a commonly used method of assigning Resources to users since any special views can usually be created by the user through Personalization unless they do not have permissions to a table that they require information from or the Customize operation is not available to the user.
- When you enter a User ID in the Role Name field of the Role Master-Permission table, all of the views that the user created using Save As through Personalization are displayed along with the user's resource for their My Views folder (user_user11_menu). As the system administrator, you can modify the Operations on these resources but we do not recommend that you do.
- The following example will guide you through the process of assigning permissions to a specialized view for a specific user. There are two methods to adding permissions to the specialized view.
- Through the Permissions action within the Personalization of the specialized view:
- Enter the user's ID in the Add a Role field and click Add.
- Select the Operations that apply by clicking the appropriate check boxes.
- Click Submit or Save.
- Through the Role Master-Permission table:
- Click on Create.
- Enter the appropriate Role, Resource and Operation name.
Note: Regardless of the method you use to add the specialized view, the user that it is assigned to will need to add the view name to his/her My Views folder if they want to see the view name on a menu. If this step is not performed, the user can always access the view by entering the view name in the search field.
|