Managing Propagated Permissions 

Use

You use propagated permissions to maintain authorizations of related objects.

For more information, see Service Permission Types.

Procedure

Selecting an Entity Instance

       1.      Log on to the CAF Runtime Configurator.

       2.      Choose Administrative tools → Authorization Tool.

       3.      Choose the Propagated Permissions  tab page.

       4.      From the left pane (Inheritance of Permissions by Objects), select the entity service whose permissions you want to check or manage.

You can see as subnodes the objects for which there are inherited permissions in the selected entity service.

       5.      In the right pane, enter data in some of the attribute fields.

For example, if you want to see all instances created by the user Administrator, enter Administrator in the createdBy field.

       6.      Choose Find.

A list of the found entries is displayed.

       7.      Select an entry from the list.

Getting a Permissions Report

...

       1.      Follow the instructions above to select an instance entry.

       2.      Choose Show Permissions Report…

       3.      A report including the authorizations for the entity instance is displayed.

For more information, see Getting a Principal Authorization Report.

Changing Access Rights

...

       1.      Follow the instructions above to select an instance entry.

       2.      Choose Change Access Rights…

       3.      You can modify the permissions by using an Access Control List (ACL).

For more information, see Managing Access Control List.

Spreading of Propagated Permissions

You can see how the permission checks call stack happens in runtime.

...

       1.      Follow the instructions above to select an instance entry.

       2.      From the Permission Name dropdown list, select a permission.

For more information, see Predefined Permission Access Rights.

       3.      Choose Spreading of Propagated Permissions tab page.

       4.      From the dropdown list, select one of the options below and choose Show to design how the result table is displayed:

○       Show all - retrieves all instances related to the selected one

○       Show path - retrieves related instances until the first permitted instance

You can invoke principal report or change access rights for each selected instance.

Getting Information About Available Permissions

For each principal, you can get permission information for all instances.

...

       1.      Select a principal.

For more information, see Managing Access Control List

       2.      From the Permission Name dropdown list, select a permission.

       3.      Choose Available Permissions tab page.

       4.      From the dropdown list, select one of the options below and choose Show to design how the result table is displayed.:

○       Show hierarchy – retrieves information structured hierarchically, so the real structure of related instances is shown as well as the available permissions for each instance.

○       Group by BE – retrieves information grouped by business entities, so you can see the information grouped by object type and instance.

Getting Information About Potential Problems

You can get information about potential problems.

Potential problems can be one of the following:

●      Recursive references – if there is a cycle in the references between instances, an endless recursion may appear.

●      Missed references – if there are instances for which the propagated permissions are kept on the data layer, but there are no existing relations between them.

●      Redundant references – if there are instances for which relations are kept on the data layer, but there is no information for propagated permissions between them.

●      Not existent objects – if there is information about propagated permissions, but the object does not exist anymore.

To display information about potential problems:

...

       1.      Choose Found Potential Problems tab page.

       2.      Choose Show.

       3.      Confirm the dialog and wait until the information is shown.

Example

For the newly created entity service Bicycle, you want to create the following authorization rule:

User	Permission	Condition
Demo	create	Only if wheel size of bicycle is between 24 and 28 inches.

...

To do this you would:

       1.      Create the entity service Bicycle with the following attributes:

○       manufacturer (type is shortText)

○       wheel_size (type is integer)

       2.      In the Permissions tab page, activate all permission type indicators.

       3.      Create a business rule (Access Control List) for the user with the authorization tool of the CAF Runtime Configurator.

       4.      Add conditions to that rule with the following parameters:

Attribute	Low Value	High Value	Operator
wheel_size	24	28	between