This article describes the existing permission resources (permissions to functions) and the permissions solution in Signifikant.
Overview
The permissions functionallioty is based on two concepts; permissions and groups.
- Permissions is used internally in the application to control access to a function or to data. Permissions can control functions (as defined in the application) or data (as defined in data).
- Groups are a list of permissions defined in permissions.config.
Users in the web viewer will internally have a list of permissions associated to the user. The list of permissions an user has is a union of several sources:
- User may have groups connected to the user. These groups come from either an external source as an AD or from the web viewer server database. The groups will give the permission.
- User may be connected to an organisation which has groups. The groups will give the permission.
- User may have used the call centre function and selected a proxy user or proxy organisation. User will the get the groups associated with the proxy user or proxy organisation. See Call centre and local admin.
- The site may have permissions set on the site. User will get the permissions on the site
Permissions.config
Permissions.config is used to enable permissions control of functions and to add permissions control on data. It is also used to map permissions to groups.
Server DB and external providers of permissions
When communicating access rights with an external system as an AD, SAML or ADFS solution, communication will always be based on groups. When saving access rights on users to the server database, the groups will be saved. Actual permissions will never be saved in server database or communicated with external systems. Internal permissions may change over time, so groups will be used to avoid migration of set permissions of users and changes in APIs.
So permissions.config will have to be used to define the interface with server database and external solutions.
Permissions to functions
The below permissions are used to control access to functions within Signifikant. If a user does not have permission to a function, user will not see the function.
...
Permissions can be put on parts, part assemblies, catalogues, documents, content sets. Permissions may also be put on presentation types, which may be used to create a permission on an information type. E.g. some parts may be restricted and these parts are classified as restricted parts using presentation type. A permission can now be put on this presentation type. Note that information may only be one presentation type.
Groups
Permission resources consist of groups and these groups are applied to user. Groups can be shared between permission and as a result user belonging to the group will have access to permissions among which they are shared.
When designing permissions groups can be used to give an user access to several functions or data. It may also be used to create one group per function, to allow to set individual permissions on users. Groups need to be designed carefully to persist to some level over time.
...
Permissions to
...
data
...
in
...
The connections between permissions and groups are defined in the permissions.config file. Which groups users belog to is defined by the user's credentials which may be fetched from Signifikant's database or from external solutions as an Active Directory.
Manager
Permissions can be set on data in Manager. Nodes and Presentations may have permissions. At publish it is possible to limit which permissions are actually published to a web server or to an offline version. This function allows to limit the actual data available on a remote istallationinstallation.
Which permissions are available to select in the Manager is controlled by permissions.config located on the Manager server. The permissions.config is located at:
C:\ProgramData\Signifikant\Assert
WebViewer
If Signifikant Web Viewer is used for administrating users and groups permissions, admin will be able to select groups (0 or more) on each user. The permissions are available under each user in the admin section of the Web Viewer.
...
Which permissions are available to select in the Web Viewer is controlled by permissions.config and profile.config located on the web server.
Profile.config
Profile.config can be used to define a set of groups and templates for users and organisations. The groups will become possible access rights choices in the web viewer and the templates will become a drop down to set several access rights choicesby just making one choice. All will at the end be mapped to permissions.
Permissions.config
The permissions.config is located at:
Server level: C:\inetpub\wwwroot\AssertWeb\App_Data
Site level: C:\inetpub\wwwroot\AssertWeb\App_Data\<site>
If permissions.config exist in both App_Data and in App_Data\<site>, the version in <site> will be used.
...
<Id>1</Id> | This is integer value written in incremental way. |
<Enabled>true</Enabled> | true or false will disable or enable Permission. If false, access control will be turned off for that function and users will be allowed to access the function. |
<Name>MyAccount</Name> | This holds the name of Permission resource. |
<Note>Users can access MyAccount settings</Note> | Description of permission. |
<Groups> | Groups hold the role applied to user. |
...