Technical documentation - Permissions on functions in web viewer and data
- Mattias Löfstrand
- Joris Maene (Unlicensed)
- Ruud de Bruijckere
This article describes the existing permission resources (permissions to functions) and the permissions solution in Signifikant.
Overview
The permissions functionality is based on two concepts; permissions and groups.
Permissions is used internally in the application to control access to a function or to data. Permissions can control functions (as defined in the application) or data (as defined in data).
Groups are a list of permissions defined in permissions.config.
Users in the web viewer will internally have a list of permissions associated to the user. The list of permissions an user has is a union of several sources:
User may have groups connected to the user. These groups come from either an external source as an AD or from the web viewer server database. The groups will give the permission.
User may be connected to an organisation which has groups. The groups will give the permission.
User may have used the call centre function and selected a proxy user or proxy organisation. User will the get the groups associated with the proxy user or proxy organisation. See Call centre and local admin.
The site may have permissions set on the site. User will get the permissions on the site
Permissions.config
Permissions.config is used to enable permissions control of functions and to add permissions control on data. It is also used to map permissions to groups.
Server DB and external providers of permissions
When communicating access rights with an external system as an AD, SAML or ADFS solution, communication will always be based on groups. When saving access rights on users to the server database, the groups will be saved. Actual permissions will never be saved in server database or communicated with external systems. Internal permissions may change over time, so groups will be used to avoid migration of set permissions of users and changes in APIs.
So permissions.config will have to be used to define the interface with server database and external solutions.
Permissions to functions in web viewer
The below permissions are used to control access to functions within Signifikant. If a user does not have permission to a function, user will not see the function.
Permission names | Description |
AddToOrderCart | Access to add parts to order cart (‘add-to-order’ cart button). From version 5.0 and later it is possible to set the default permission on AddToOrderCart. <EnableAddToOrderCartDefaultPermission> is used to set the default permission. |
Administration | Access to administration module. |
AssetAnnotations | User with this permission can view/create annotations ( note) on asset |
AssetOwnership | Allows user to see asset ownership and modify notes. See Technical documentation - Assets Available in version 5.1 and later. |
Assets | User with this permission can search for and view assets |
Availability | User can see availability, as an icon based on availability level. E.g. X for not available. |
AvailabilityValue | User can see availability level, actual value |
Bulletin | Access to bulletin module. |
CardPayment |
|
CashPayment |
|
CatalogueReport | Access to function to download catalogue report. Available in version 5.3 and later. |
ClaimsAdmin | User can access My Claims view if the user belongs to group of ClaimsAdmin resource. |
ClaimsManager | User can Manage Claims view if the user belongs to group of ClaimsManager resource. |
CompanyAdministration | Access to Create/update company details and create/update users and access to order received to company. |
DeliveryOption | Access for user to change delivery options. |
Download | Access to download function. Technical documentation - Download list of catalogues or parts from a list |
EditPresentation | User with this permission can edit a presentation. |
EditAssets | Users can add, edit and import assets |
EditBillingAddress | User can edit billing address under MyAccount. EditBillingAddress function need to be turned on. |
EditPresentation | Will give user access to edit presentation (part) in web viewer, for web viewers accessing editor database. |
EditShippingAddress | User can edit shipping address under MyAccount. EditShippingAddress function need to be turned on. |
Favourites | User can access Favourites function. |
Feedback | Access to feedback module. |
FlexibleSparePartSelection | Allow user to select if automatic replacement is enabled or not. By default, automatic replacement is turned on and user cannot turn off. This permission makes it possible for user to turn off. |
InvoicePayment |
|
Invoices | User with this permission can view My orders section. |
LocalAdministrators | User has access to local admin function. Note that any user having Administration permission will see full administration and not local admin function. |
LoginPermission | Access to login. This function is used to be able to approve users before they are allowed to sign in. |
MarketSelector | Access to market selector, if markets is turned on. Available in version 5.2 and later. |
MyAccount | Access to my account module. This permission also allows user to add notes if notes function is enabled. |
MyAssets | Access to my assets page. See Technical documentation - Assets Available in version 5.1 and later. |
MyOrders | Access MyOrders menu. This permission also allow user to look at the order history. |
Notes | User with this permission can write and see notes to products Available in version 5.4.0 and later. |
Order |
|
OrderType | Access to OrderType selector. |
PartListReport | User has permission to access part list report function. Available in version 5.2 and later. |
PartListReportDownload | User has permission to download part list report. Available in version 5.2 and later. |
PartReplacement | Access to view Part replacement history. |
PaymentAdministration |
|
PaymentLink |
|
PlaceOrder | Access to place order. This permission also allow user to save order. Note that user without permission will actually see place order and save buttons, but will get directed to login page if pressing any of these buttons. |
Price | User can see price. |
PriceDisplayModes | Users can choose to show discounts in settings. |
Quotation | Access to create quotation. |
PriceDisplayModes | User with this permission group can choose to show discounts in User settings |
ShoppingList | Permission to see shopping list buttons and shopping list icon in toolbar. Available in version 5.0 and later. |
Site | Allows a user to access a specific site. If not activated, all users can access all sites. Admins can always access all sites. |
SupportCentre | User has access to support centre function. |
Synchronize | Access to synchronize data to offline viewer from web-viewer. |
System | Default access. |
TemporaryBillingAddress | User can edit billing address on order page to create a temporary billing address. |
TemporaryShippingAddress | User can edit shipping address on order page to create a temporary shipping address. |
TerminalPayment |
|
Ticket | User can access Ticket function if the user belongs to group of Ticket resource. |
Permissions to data
Permissions may be created on information in the system. Permission can be any names and there can be an unlimited number of permission created.
Permissions can be put on parts, part assemblies, catalogues, documents, content sets. Permissions may also be put on presentation types, which may be used to create a permission on an information type. E.g. some parts may be restricted and these parts are classified as restricted parts using presentation type. A permission can now be put on this presentation type. Note that information may only be one presentation type.
Handling permissions to data in Manager
Permissions can be set on data in Manager. Nodes and Presentations may have permissions. At publish it is possible to limit which permissions are actually published to a web server or to an offline version. This function allows to limit the actual data available on a remote installation.
Which permissions are available to select in the Manager is controlled by permissions.config located on the Manager server. The permissions.config is located in on of the folders:
Primary at custom level: C:\ProgramData\Signifikant\Assert\Customize
Fallback at server level: C:\ProgramData\Signifikant\AssertVersion 5.0 information
In version 5.0 permissions to functions in Manager is introduced. Data permissions have to be tagged in permissions.config to appear as permissions on data. Read more: Permissions in Manager does not appear
WebViewer
If Signifikant Web Viewer is used for administrating users and groups permissions, admin will be able to select groups (0 or more) on each user. The permissions are available under each user in the admin section of the Web Viewer.
Which permissions are available to select in the Web Viewer is controlled by permissions.config and profile.config located on the web server. By default the groups will be displayed in the web viewer, as in the screen dump above.
Templates
Profile.config can be used to define a set of groups and templates for users and organisations. The groups will become possible access rights choices in the web viewer and the templates will become a drop down to set several access rights choices by just making one choice. A clarifying text can be added. All will at the end be mapped to permissions.
The drop down in the web viewer will be populated by the settings in the <PermissionsTemplate> block in profile.config.
Permission templates
<PermissionTemplates>
<PermissionTemplate>
<Name>Default</Name>
<GroupNames>Price,PriceDisplayModes,PlaceOrder,Bulletin,Availability,MyAccount,SafetyParts</GroupNames>
</PermissionTemplate>
<PermissionTemplate>
<Name>Default Temporary Shipping Address</Name>
<GroupNames>Price,PriceDisplayModes,PlaceOrder,Bulletin,Availability,MyAccount,SafetyParts,TemporaryShippingAddress</GroupNames>
</PermissionTemplate>
</PermissionTemplates>The descriptions on the groups shown in the web viewer is fetched from the <PermissionGroups> block in profile.config.
PermissionGroups
<PermissionGroups>
<PermissionGroup>
<Name>Administrators</Name>
<Description>Permission to administer users, pricelists</Description>
</PermissionGroup>
<PermissionGroup>
<Name>LocalAdministrators</Name>
<Description>Permission to administer users in a region</Description>
</PermissionGroup>
</PermissionGroups>Default permission
It is possible to define which permissions a user should get when the user is created. This is done in profile.config using UserDefaultGroupsList.
It is also possible to define a set of permissions which a site should have by default. Using this setting will make any user, signed in or not, to get these permissions.
Permissions.config
The permissions.config is located at:
If permissions.config exist in both App_Data and in App_Data\<site>, the version in <site> will be used.
<Id>1</Id> | This is integer value written in incremental way. |
<Enabled>true</Enabled> | true or false will disable or enable Permission. If false, access control will be turned off for that function and users will be allowed to access the function. |
<Name>MyAccount</Name> | This holds the name of Permission resource. |
<DataPermissionEnabled> | Version 5.0 and later. If true this permission will appear as a permission on data in Manager. |
<Note>Users can access MyAccount settings</Note> | Description of permission. |
<Groups> | Groups hold the role applied to user. |
To apply permission or enable permission.Write the permission setting as per below example in permission.config file.
ResourcePermissions
Debugging permissions on users is sometimes needed.
See Technical documentation - Getting user's information and permissions for actual how permissions on a signed in users may be retrieved.