Roles and Permissions: Difference between revisions

From QPR ProcessAnalyzer Wiki
Jump to navigation Jump to search
(21 intermediate revisions by the same user not shown)
Line 76: Line 76:
* View [[Data_Extraction,_Transformation,_and_Loading|scripts]] code and other script properties (with additional restrictions listed below)
* View [[Data_Extraction,_Transformation,_and_Loading|scripts]] code and other script properties (with additional restrictions listed below)
* Run scripts (with additional restrictions listed below)
* Run scripts (with additional restrictions listed below)
* Create, modify and delete scripts that are in user's own context.


The rights depend also in which of the following '''contexts''' the script is located:
The rights depend also in which of the following '''contexts''' the script is located:
* '''project''': To view scripts that are in ''project'' or ''model'' context, user needs to have the ''GenericRead'' for the project.
* '''project''': To view scripts that are in ''project'' context, user needs to have the ''GenericRead'' for the project.
* '''model''': See above.
* '''user''': Only the user itself can view, create, modify and delete scripts that are in the user's own context (except users with global ''ManageScripts'' permission can see scripts in other users' context).
* '''system''': All users with ''RunScripts'' can see scripts in the ''system'' context.
* '''system''': All users with ''RunScripts'' can see scripts in the ''system'' context.
|||| ||[[File:Tick.gif|center]]|||| || ||
|||| ||[[File:Tick.gif|center]]|||| || ||
Line 105: Line 102:
* View all filters: '''ManageViews''' for the project.
* View all filters: '''ManageViews''' for the project.
* Create filter: '''Filtering''' for the project.
* Create filter: '''Filtering''' for the project.
* Modify own filter: '''Filtering''' for the project.
* Edit own filter: '''Filtering''' for the project.
* Modify all filters: '''ManageViews''' for the project.
* Edit all filters: '''ManageViews''' for the project.
* Publish own filter: '''Filtering''' for the project.
* Publish own filter: '''Filtering''' for the project.
* Publish all filters: '''ManageViews''' for the project.
* Publish all filters: '''ManageViews''' for the project.
Line 132: Line 129:


== SQL Scripting Permissions ==
== SQL Scripting Permissions ==
For viewing and running scripts, global '''RunScripts''' permission is needed. All scripts linked to the current context are available provided that the user has permission to see the scripts in the context. The required permissions by context are:
* View and run system script: global '''RunScripts'''
* System: No additional requirements.
* View and run project script: global '''RunScripts''' and '''GenericRead''' for the project.
* Project: '''GenericRead''' permission for the project.
* Create, edit and delete system script: global '''RunScripts''' and global '''ManageScripts'''
* Model: '''GenericRead''' permission for the project where the model is located.
* Create, edit and delete project script: global '''RunScripts''' and '''ManageScripts''' for the project.
* User: If the script is linked to current user, then no additional requirements. If the script is linked to a group the current user belongs to, no additional requirements. If the script is linked to other user or groups, global '''ManageScripts''' permission is required.


For script creation, modification and deletion, the following permissions are needed depending on the script context:
== Expression Scripting Permissions (future) ==
* System: Global '''ManageScripts'''.
* View project script: '''GenericRead''' for the project. (Also possible to call the script from other script.)
* Project: project '''ManageScripts'''.
* Run project script: '''RunScripts''' for the project.
* Model: project '''ManageScripts'''.
* Create, edit and delete project script: '''ManageScripts''' for the project.
* User: If the script is linked to a user group the user belongs to, group administrator user group role is required.
* View, run, create, edit and delete system  script: global '''ManageScripts'''.
 
If '''Hide Script Details''' is set for the script, only users with modify permissions for the script can see the script code and log.
 
== Group Roles ==
{| style="color:black; cellpadding="10" class="wikitable"
!||Group administrator||Normal member||Hidden Member
|-
|Add and remove group members||[[File:Tick.gif|center]]||||
|-
|Create users to group||[[File:Tick.gif|center]] || ||
|-
|Add and remove project access rights of a user||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||
|-
|Open model accessible to group members||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]
|-
|See unhidden group members||[[File:Tick.gif|center]]||[[File:Tick.gif|center]]||
|-
|See hidden group members||[[File:Tick.gif|center]]|| ||
|}
 
If a group member is a project '''Administrator''', the user can add and remove project specific access rights for the group or for any individual member of the project.


[[Category: QPR ProcessAnalyzer]]
[[Category: QPR ProcessAnalyzer]]

Revision as of 23:05, 13 April 2021

QPR ProcessAnalyzer has a role-based access control, where all operations require appropriate rights in order to be executable. Rights are given to users and groups by assigning roles to them. Roles are a collection of permissions. Permissions are fixed in QPR ProcessAnalyzer allowing certain operations to be done. Some roles are project-specific meaning that that role (and its permissions) is applicable only for that project. Roles can also be global which gives rights to all projects in the system. Users belonging to a group, have all the roles assigned to that group.

Global and Project Roles

There are two types of roles in QPR ProcessAnalyzer:

  • Global roles are used to give rights in the entire QPR ProcessAnalyzer system.
  • Project roles are used to give rights in a certain project. When assigning projects roles, the project is also defined.

By default, QPR ProcessAnalyzer system contains global and project roles that are shown in the following table (roles are as columns). The roles have been mapped to certain permissions that are also shown in the following table (permissions are as rows). It's possible to create new roles in QPR ProcessAnalyzer.

Global roles Project roles
Permission Allowed operations Administrator Create models SQL Scripting Administrator Designer Analyzer Viewer
View dashboards
(GenericRead)
  • View project's and model's information (name, description, configuration etc.)
  • List datatables and view their contents
  • Open dashboards (queries made by the dashboards are still restricted by the permissions)
  • Run analyses for model and view the analysis results
  • See own private filters, all published filters and the model default filter (not allowed to create/modify/delete filters)
Tick.gif
Tick.gif
Tick.gif
Tick.gif
Tick.gif
Save filters
(Filtering)
  • Create, modify and delete own filters (private and public, but not model default)
  • Publish own private filters for other users (but not set the model default filter). Published filters are still user's own, so other users cannot modify them.
Tick.gif
Tick.gif
Tick.gif
Tick.gif
Design dashboards
(EditDashboards)
  • Create, modify and delete dashboards (as a project role, dashboards in the assigned project; as a global role, all dashboards).
Tick.gif
Tick.gif
Tick.gif
Tick.gif
Import data
(GenericWrite)
  • Edit model settings (but not possible to create or delete models)
  • Import data to datatables (either directly or import to a model which uses datatables)
Tick.gif
Tick.gif
Tick.gif
Manage filters
(ManageViews)
  • View, create, modify and delete all filters in the model (also other users' private filters).
  • Set the model default filter.
Tick.gif
Tick.gif
Manage project
(ManageProject)
  • Modify project information (name and description) (also GenericRead permission is needed)
Tick.gif
Tick.gif
Delete models
(DeleteModel)

As a project specific permission:

  • Moving model to recycle bin (soft deleting) (also project specific ManageProject permission is needed)
  • Delete datatables (for datatables deletion is always permanent)

As a global permission:

  • Permanently deleting models and projects (remove from the recycle bin) (also global ManageProject permission is needed)
Tick.gif
Tick.gif
Manage scrips
(ManageScripts)
  • As a project role, create, modify and delete scripts in project and model context.
  • As a global role, create, modify and delete all scripts.

This permission to be effective requires also the RunScript permission.

Tick.gif
Tick.gif
Manage operations
(ManageOperations)
Tick.gif
Manage users
(ManageUsers)
  • Administrate users and groups, e.g. create new users and groups, and add users to groups.
Tick.gif
Create model
(CreateModel)
  • Create projects, models and datatables. When a project is created, the creator gets project Administrator role for the project (giving full permissions to the project).
Tick.gif
Tick.gif
SQL scripting
(RunScripts)
  • View scripts code and other script properties (with additional restrictions listed below)
  • Run scripts (with additional restrictions listed below)

The rights depend also in which of the following contexts the script is located:

  • project: To view scripts that are in project context, user needs to have the GenericRead for the project.
  • system: All users with RunScripts can see scripts in the system context.
Tick.gif

Datatable Permission

Permissions required for datatables:

  • List datatables, view datatable properties and data contents: GenericRead for the project.
  • Create datatable: GenericWrite for the project and global CreateModel.
  • Change datatable properties and import data to datatable: GenericWrite for the project.
  • Move datatable between projects: GenericWrite and DeleteModel to source project, GenericWrite for target project, and global CreateModel.
  • Delete datatable (permanently): GenericWrite and DeleteModel for the project.

Dashboard Permissions

  • View dashboard: EditDashboards for the project.
  • Create dashboard: EditDashboards for the project.
  • Edit dashboard: EditDashboards for the project.
  • Move dashboard: EditDashboards for the original project and for the target project.
  • Delete dashboard (permanently): EditDashboards for the project.

Filter Permissions

  • View own private filters, all published filters and model default filter: GenericRead for the project.
  • View all filters: ManageViews for the project.
  • Create filter: Filtering for the project.
  • Edit own filter: Filtering for the project.
  • Edit all filters: ManageViews for the project.
  • Publish own filter: Filtering for the project.
  • Publish all filters: ManageViews for the project.
  • Delete own filter (permanently): Filtering for the project.
  • Delete all filters (permanently): ManageViews for the project.
  • Set model default filter: ManageViews for the project.

Model Permissions

  • View model: GenericRead for the project.
  • Create model: global CreateModel.
  • Change model properties (e.g. name): GenericRead and GenericWrite for the project.
  • Move model: GenericRead for the original project, and CreateModel for the target project.
  • Delete model (to bin): GenericRead and DeleteModel for the project.
  • Delete model (permanently): global DeleteModel.
  • Copy model: Global CreateModel permission and GenericRead for the copied model.

Project Permissions

  • View project: GenericRead for the project. (There are separate permissions for viewing different type of objects in the project.)
  • Create project: global CreateModel.
  • Change project properties (e.g. name): GenericRead and ManageProject for the project.
  • Move project: ManageProject for the moved project, GenericRead for the original parent project, and CreateModel for the target parent project.
  • Delete project (to bin): ManageProject and DeleteModel for the project.
  • Delete project (permanently): global DeleteModel and ManageProject permission for the project.
  • Copy project: Global CreateModel permission, and GenericRead and ManageProject for the copied project.

SQL Scripting Permissions

  • View and run system script: global RunScripts
  • View and run project script: global RunScripts and GenericRead for the project.
  • Create, edit and delete system script: global RunScripts and global ManageScripts
  • Create, edit and delete project script: global RunScripts and ManageScripts for the project.

Expression Scripting Permissions (future)

  • View project script: GenericRead for the project. (Also possible to call the script from other script.)
  • Run project script: RunScripts for the project.
  • Create, edit and delete project script: ManageScripts for the project.
  • View, run, create, edit and delete system script: global ManageScripts.