This is the continuation of Authorization topic.
Please go through ‘Access roles‘ ( ) post first.
You can explain it with the name.
Yes, we are denying the access.
Simply saying, it is the exact opposite of Access of Role to Object (ARO).
Access Deny = Access Denial of Object (ADO)
ADO is my own term, please forget it 🙂
As we saw before, objects refer to class instances.
So here, we deny access to particular class instances.
- It is a granular part to ARO or Access deny.
See ARO, Access deny control the access for the class instances, whereas Privilege controls the access for particular rules.
- Say for example in an organization, we have manager and a set of developers.We need to allow executing appraisal flow only for managers and not for users.
It means that we can control executing the flow by using privilege.
You need to specify the privilege in 2 places:
- In the rule form
- In the Access of Role to Object -> Access role
Say, you have created a new privilege ‘ExecuteAppraisal’ and included it in Appraisal flow.
Now, this flow can be executed only by people who hold the privilege in their access roles.
Are you confused? Cool, you will be well cleared by the following examples 🙂
What is an Access Deny rule?
- It is the reverse of Access of Role to Object.
- Rule form is exact replica to ARO.
- Access deny is part of security category.
How do we configure a Access Deny rule?
Step 1: Create a new Access Deny rule.
Step 2: Configure the rule form.
It has a single main tab.
If you see the right bottom corner, then you can see,
- 0 – Do not deny access.
- 5 – Access will be denied till production
Access controls – You specify the access control for various options.
I just copied the same from ‘ARO‘ ( ) lesson below 😉
In the fields, you can provide either level values (see at the right) or access when rule (Replica of when rule).
Say, you provided Level value 5. Then it will be in application till production environment.
- Open Instances – Controls whether you can Open FKT-Fkart-Work-Sales cases
- Modify instances – Controls whether you can Save FKT-Fkart-Work-Sales cases
- Delete instances – Controls whether you can delete FKT-Fkart-Work-Sales cases
- Run reports – Controls whether you can run reports of applies to class FKT-Fkart-Work-Sales
- Execute activities – Controls whether you can run reports of applies to class FKT-Fkart-Work-Sales
- Open rules – Controls whether you can open rules of applies to class FKT-Fkart-Work-Sales
- Modify rules – Controls whether you can modify rules of applies to class FKT-Fkart-Work-Sales
- Delete rules – Controls whether you can delete rules of applies to class FKT-Fkart-Work-Sales.
Let’s test it 🙂
Step 1: Create a new Access deny rule for User role – Fkart:Users
It is already created above.
Step 2: Configure access control for open instances to level value 5.
Step 3: Open the FKart:User access role and verify the access class in the grid.
We have successfully configured to deny access to open sales case.
Step 4: Have a test user pointing to that Users access group – Fkart:Users
Note: This access group should contain the same access role – Fkart:User, where we created access deny.
Step 5: Login the User and create a new sales case.
We have created a case S-142.
Step 6: Open the case from recent/worklist.
Yes, we did it. 🙂
You can remove that access level and test again.
Keep on testing different scenarios.
What is a Privilege rule?
- It provides access control on rules based on access role.
- It is part of security category.
How do we configure a Privilege rule?
Step 1: Create a new Privilege rule.
Step 2: Nothing 😀
There is no need to configure anything in Privilege rule form.
How do we refer a Privilege rule?
Imagine, we have a requirement like sales user can only create a sales case. Managers cannot create the case.
This is the key area in privilege rule.
You need to configure in 2 places.
1. Rules – Restricts
In the sales flow rule – Process tab
Privilege class – This will be default to Flow class.
Privilege name – Specify the privilege name here.
2. Access role – > ARO – conveys
Step 1: Open the ARO on sales class that belongs to sales user and open the Privilege tab.
Step 2: Add the Privilege created above.
Now, we have configured the sales user with the privilege to create a new case from sales flow.
For Sales manager, we didn’t add any privilege in their Access role, so they can’t create a new sales case.
Let’s jump to test.
Step 1: Make sure rules are configured with the Privilege created and Privilege is added with ARO.
Step 2: Configure the test user to ‘FKart:SalesManager’ access group – > role
Step 3: Check the manager portal, if you are able to create a new sales case.
Step 4: Now update the test user to sales user role – Fkart:User role.
Step 5: Now check the user portal.
You should be able to create a new case.
We have successfully configured privilege in flow rule and restricted user based on their roles.
Restricting Flow actions
Scenario: For a sales case, only sales users can change the stage. Sales manager will not have privilege to change the stage.
Note: Change stage flow action will be available through out the case life cycle in the other actions button. We shall see about those configuration in ‘Cases‘ lesson.
Step 1: First, save the flow action in application class.
Step 2: We can use the same privilege, we used for testing flow.
Configure it in security tab – Privileges.
Step 3: We have already added the privilege in user role. Make sure it is added.
Step 4: Move to user portal and check the flow action from other actions.
Step 5: Now configure the test operator to sales manager portal and check the Actions button.
What are the other rules that can be restricted using privilege?
- Flow actions
- Report definitions
- Attachment categories
- Parse structured
I wanted to show you report definition restriction, but already it’s a very long post 🙂
You can test the above rules.
- Access Deny is the exact opposite to ARO. Normally, we use ARO in many places.
- Privileges need to be configured in 2 places:
- Access role of the users
We are at the end of the post.
We will discuss how to use Access Manager in next lesson 🙂