Role management

Combination of permissions

The user joão.silva is related to the collaborator role. This role has authorization to perform the Query action on the custom field resource.

The user pedro.santos is related to the collaborator and analyst role. In addition to the Contributor role definitions (above), the Analyst role has Create, Edit, and Delete permissions in the custom field feature.

The user maria.silva has the roleadmin, which does not contain any filters, that is, it does not impose specific restrictions. Therefore, a user with the roleadmin has visibility of all companies and branches. However, when adding an additional role such asbranch administrator 1 (which filters company 1 with branch 1), the system starts to apply restrictions according to the filters for that specific role (limiting the information to company 1 with branch 1), even with the presence of the most comprehensive role.

If a third role is added, for example, with a filter for company 2 with branch 2, the system must take all roles into account, resulting in a filter that includes company 1 with branch 1 and company 2 with branch 2.

Denial of permission

The user rosa.maria is only related to the analyst role; Because the analyst role has Create, Edit, and Delete permissions on the custom field resource, but does not have Query permission, this user will not be able to perform custom field queries.

The RBAC (Role-Based Authorization Control) is a role-based permissions control. It is the first level of access permissions and also the simplest. Simply inform which resources a role can access and which actions can be performed on each resource.

It is possible that there are needs beyond what RBAC provides, which is why the concept of ABAC was created.

Complementing RBAC, authorization can be carried out through attribute validation. During resource definition, the business service can link attributes, making validation possible during authorization verification. When the resource has attributes, during permissions management, the end user can include ascript (javascript) which must validate the attributes, thus allowing or denying access.

On the senior X Platform, ABAC is used for more complex permissions, such as time of day and the user's geographic location, to allow the system to be used in a dynamic and distributed way.

For more complex authorization management, filters can be linked to permissions or roles so that business services can allow partial access to a resource/action. Like ABAC, existing filters are defined by the business service, without user interaction. For example, a given role can only access invoices issued by the company to which it is associated, or it can only access data from company X, branch X.

The platform currently allows you to define two types of filters:

• Resource filter: resource or boolean filters are linked to actions during permissions management to activate or deactivate a functionality, for example: the user resource with View action returns a list of all users and has the restrict branch filter. During permission management, I can add the filter in the manager role, but not in the director role, as the director can view users from all branches.
• Service filter: they are more complex than resource filters, as they allow you to add a set of values linked directly to the role and service of the resource in question. Following the previous example, the user resource with View action returns a list of all users and has the branch code filter. Given that a manager belongs to a branch and a regional manager to one or more branches, I can add the filters as follows:

Once linked to the role, the filters will be returned upon permission verification so that the business can consume this data.

1. Access Technology > Administration > Authorization > Paper management;
2. click inNew role;
3. Inform thePaper name and theRole Description to identify you;
4. On the Users tab, select the users who will be part of the role:
   • Find the user you want to include in the role and use the
   • toggle from the Associate
   column;Select the check boxInclude blocked users if you need to view blocked users from the platform.

5. On the Permissions tab, select the features and actions that users associated with the role will have ac
   • cess to:
   • Click on a domain/service to view the resources and actions contained therein
   • ;Click the check box to define the role's resources and access;Some resources may have filters, which will be displayed next to the action. By clicking on them you can create Boolean filters;

6. On the Filters tab, view the domains/services that have custom filters and define one or more sets of values, with each page being a set:
   • Click on a dom
   • ain/service;
   • Enter the filter v
   alues;Repeat the procedure as many times as necessary.

7. On the Properties tab, add a set of keys/values for a role, assigning it metadata that can be used in customizations:
   • addName and then set the
   Value
   • ;
   Click the add button to finish.

8. In the tabapplications, select the access applications that will be part of the role:
   • Find the application you want to include in the paper and usetoggle of the associated column.
9. If you have roles created in the X Solutions Platform, and intend to integrate a role with the same name registered in G5/LDAP, thetoggle must be checked, this way the integrator has permission to edit the existing role. If you do not check, the message will be displayedthe paper already exists and will not be integrated until the user corrects the names.
10. After configuring the role, click save.

1. Access Technology > Administration > Authorization > Paper management;
2. Locate the role you want to change;
3. click inTo edit;
4. Make the necessary changes;
5. click inTo save.

At any time clickCancel to discard the changes.

1. Access Technology > Administration > Authorization > Paper management;
2. Locate the role you want to delete;
3. click inTo edit;
4. click inDelete;
5. Confirm the deletion.

At any time clickCancel to discard the changes.

Duplicating a role makes it easier to create a new role that has similar permissions to another role. When duplicated, it creates a new role with the same permissions. However, users associated with the role will not be copied to the duplicate role.

1. Access Technology > Administration > Authorization > Paper management;
2. Locate the paper you want to duplicate;
3. click inTo edit;
4. click inDuplicate;
5. Inform thePaper name It isDescription the role that will be created;
6. click inTo save to confirm the operation.

At any time clickCancel to discard the changes