Difference between revisions of "Roles and permissions"

From WICE Wiki v2.89
Jump to navigation Jump to search
m (Started explaining how the permission assignment:... interacts with historical assignments.)
Line 1: Line 1:
<includeonly>====Roles and permissions====</includeonly>
<includeonly>====Roles and permissions====</includeonly>
In order to restrict access to resources and functions in the portal, there is a framework for controlling this using roles and permissions. Permissions are given on a set of resources. These permissions are grouped into roles, and roles are then attached to one or several users to be granted specific permissions.
In order to restrict access to resources and functions in the portal, there is a framework using roles and permissions. Permissions are given on a set of resources. These permissions are grouped into roles, and roles are then attached to one or several users to be granted specific permissions.
[[File:Edit roles and permissions.png|thumb|400x400px|Illustration 51: The edit roles and permissions dialog.]]
[[File:Edit roles and permissions.png|thumb|400x400px|Illustration 51: The edit roles and permissions dialog.]]
The “Edit roles and permission” dialog can be seen in Illustration 51. It consists of three tables. The top left table holds a list of the roles, the top right holds the user(s) for the selected role and the bottom one hold the selected role's permissions. Their size is adjustable and you can minimize them by clicking on the line between them.
The “Edit roles and permission” dialog can be seen in Illustration 51. It consists of three tables. The top left table holds a list of the roles, the top right holds the user(s) for the selected role and the bottom one hold the selected role's permissions. Their size is adjustable and you can minimize them by clicking on the line between them.
Line 6: Line 6:
You add a new role by pressing the button “Add role” and delete a role along with its permissions by pressing the red button next to it. When making a role you add a description and unique name. To edit an already existing role, double click the entry you wish to edit.
You add a new role by pressing the button “Add role” and delete a role along with its permissions by pressing the red button next to it. When making a role you add a description and unique name. To edit an already existing role, double click the entry you wish to edit.


When you select a role in the top left table, the lower table shows that specific role's permissions and the upper right table shows which users have that role. The permissions table consists of two columns, a string that is the actual permission and the set of resources that apply to that permission. In the illustration above there is only one resource but there can be a list of resources and resource groups that the permission applies to.
When you select a role in the top left table, the lower table shows that specific role's permissions and the upper right table shows which users have that role. The permissions table consists of two columns, a string that is the actual permission and the set of resources that apply to that permission. In the illustration to the right there is only one resource but there can be a list of resources and resource groups that the permission applies to.<br clear="all">
<br clear="all">
 
====== Creating and editing roles and permissions ======
=== Creating and editing roles and permissions ===
[[File:Add permission.png|thumb|Illustration 52: Creating a new permission]]
[[File:Add permission.png|thumb|Illustration 52: Creating a new permission]]
To create a new permission press the “Add permission” button. It opens the following interaction depicted in illustration 52.
To create a new permission press the “Add permission” button. It opens the following interaction depicted in illustration 52.
[[File:Editing permissions.png|thumb|400x400px|Illustration 53: Editing assignment permissions]]
[[File:Editing permissions.png|thumb|400x400px|Illustration 53: Editing assignment permissions]]
# Selecting Which kind of permission you want. there are 8 different permissions 7 to give permissions to WCUs and one to give permission to all assignments(the assignment permission can not be modified).The different assignments for WCUs are:
# Select what kind of permission you want. There are eight different permissions, seven for WCUs and one to give permission to all assignments (the assignment permission can not be modified).The permissions for WCUs are:
## '''Assignment'''. Controls if a user is permitted to create/see assignments of a specific kind on a WCU.
## '''Assignment'''. Controls if a user is permitted to create/see assignments of a specific type on a WCU. More what this means is discussed below in "Permission to specific assignments"
## '''Configuration.''' The permission says if you are allowed to work with a WCU's configuration.
## '''Configuration.''' This permission controls whether you are allowed to work with a WCU's configuration.
## '''Module'''. The permission controls the access to individual module configurations. An example of a module is MCD-Hub.
## '''Module'''. The permission controls the access to individual module configurations on a WCU. An example of a module is Signal reader.
## '''Monitor'''. An assignment can have a monitor function to report data in real time. In order to see the real time data the user must have this permission.
## '''Monitor'''. An assignment can have a monitor function to report data in real time. In order to see the real time data the user must have this permission.
## '''Plot route'''. To see a historic GPS track of a WCU a user must have this permission.
## '''Plot route'''. To see a historic GPS track of a WCU a user must have this permission.
## '''Position'''. Allows a user to see a WCU's current position.
## '''Position'''. Allows a user to see a WCU's current position.
## '''View'''. This permission applies to the Vehicles tab. It has to do with whether you are allowed to list any WCUs in the table. Selecting this subtype makes the subtype type part unnecessary and therefore, it is removed if you choose this resource type.                                                                                                                                                                                                                                             Now the permission is actually created but it can be changed to your likings. Illustration 53 shows the dialog Where you edit the permission.
## '''View'''. This permission applies to the Vehicles tab. It has to do with whether you are allowed to list a WCU in the table. Selecting this subtype makes the subtype type part unnecessary and therefore, it is removed if you choose this resource type.                                                                                                                                                                                                                                          
# Choosing if the permission should be a read and/or write permission. One of these have to be selected or you will not be able to save changes.
# Choosing if the permission should be a read and/or write permission. One of these have to be selected or you will not be able to save changes.
# Selecting which resources that apply to the permission. The selection is made using the two tables you see in Illustration 53. To select a resource, which can be a resource group, you enter the name of the resource in the left table filter area. As you type, the table is automatically filled with resources matching the criteria. If a resource is part of a resource group the icon to the left is shown. If you hold the mouse over the resource name you will see which resource group it is part of. If you instead see the icon shown to the left, the resource is a resource group. Holding the mouse over the entry will show you which resources are part of the resource group. To select a resource, drag it over to the right table or select the resource and then press the right-arrow. To deselect a resource, drag it to the left table or press the left-arrow. There is a “Select all” option. It selects all current and future resources to which this permission should be applied.
# Selecting which resources that apply to the permission. The selection is made using the two tables you see in Illustration 53. To select a resource, which can be a resource group, you enter the name of the resource in the left table filter area. As you type, the table is automatically filled with resources matching the criteria. If a resource is part of a resource group the icon to the left is shown. If you hold the mouse over the resource name you will see which resource group it is part of. If you instead see the icon shown to the left, the resource is a resource group. Holding the mouse over the entry will show you which resources are part of the resource group. To select a resource, drag it over to the right table or select the resource and then press the right-arrow. To deselect a resource, drag it to the left table or press the left-arrow. There is a “Select all” option. It selects all current and future resources to which this permission should be applied.
# Set which kind of assignments the permission applies to. It is automatically set to have all selected but you can unselect all and selecting other assignments. This option is only availible on the assignment, monitor and module permission.
# Set what type of assignments the permission applies to. It is automatically set to have all selected but you can unselect all and selecting other assignments. This option is only availible on the '''assignment''', '''monitor''' and '''module''' permission. It corresponds to the set of available modules for a WCU.
When you are done press "Save changes" or "Reset changes" if you want to revert the changes. You can always edit the permission by selecting it getting the same dialog and change it except that you can not change what type of assignment it is.
When you are done press "Save changes" or "Reset changes" if you want to revert the changes. You can always edit the permission by selecting it in the table. The dialog described above will show  and you can make your changes, except that you can not change what type of assignment it is.


====== Changing a users roles and permissions ======
=== Changing a users roles and permissions ===
You can change a users roles under in the edit user dialog if you press the button "Edit user roles". The edit user dialog then gets extended as two boxes appear, a left one with available roles and a right one with current roles. In the left one you can search the role(s) you want and drag them to the right box or press the button pointing right. With the two buttons at the bottom corner(the paper and clipboard ones) you can copy the names of the roles and also insert the names of roles to add them.
You can change a user's roles under in the edit user dialog if you press the button "Edit user roles". The edit user dialog then gets extended as two boxes appear, a left one with available roles and a right one with current roles. In the left one you can search the role(s) you want and drag them to the right box or press the button pointing right. With the two buttons at the bottom corner(the paper and clipboard ones) you can copy the names of the roles and also insert the names of roles to add them.


You can also change a users permission to view tasks in the tasks tab. By right-clicking the permission(s) you want to change permissions one and going to "Permission" you will get the options "Show who can see assignment" and "Add who can see assignment". "Show who can see assignment" will open a window with a left and a right box where the left contains users without permission to view the assignment and the right conatins users who have permission. By moving users from the left to right and vice versa you can give or remove someones permission. You can also press the clibboard the the right bottom to copy the users who have permissions or add users by writing their name within parentheses. Users in the right box can be unselectable and that is if they have a role giving them the permission to view that assignment the only way to remove that is to remove that role from them. "Add who can see assignment" works the same way as "Show who can see assignment" except that the right box does not show users with permission so you can not remove permissions, this si so that with add you can add permissions for many assignments at the same time as the show can not show users from many assignments.
You can also change a users permission to view tasks in the tasks tab. By right-clicking the permission(s) you want to change permissions one and going to "Permission" you will get the options "Show who can see assignment" and "Add who can see assignment". "Show who can see assignment" will open a window with a left and a right box where the left contains users without permission to view the assignment and the right contains users who have permission. By moving users from the left to right and vice versa you can give or remove someones permission. You can also press the clipboard the the right bottom to copy the users who have permissions or add users by writing their name within parentheses. Users in the right box can be unselectable and that is if they have a role giving them the permission to view that assignment the only way to remove that is to remove that role from them. "Add who can see assignment" works the same way as "Show who can see assignment" except that the right box does not show users with permission so you can not remove permissions, this is so that with add you can add permissions for many assignments at the same time as the show can not show users from many assignments.
[[File:Copy user assignment permissions.png|thumb|300x300px|Illustration 54: Copy user assignment permissions dialog]]
[[File:Copy user assignment permissions.png|thumb|300x300px|Illustration 54: Copy user assignment permissions dialog]]
You can also edit a users role by searching for user(s) and right clicking on them to get a window with different options. There are five different options where the three first can be used on multiple users at the same time while the bottom two can not.
You can also edit a users role by searching for user(s) and right clicking on them to get a window with different options. There are five different options where the three first can be used on multiple users at the same time while the bottom two can not.
Line 36: Line 36:
* "Give this user permission to all assignments on Car" is quite self explanatory and is to give assignment permission on one or many cars. The dialog will look like illustration 55. In the left box you select cars and move them to the right to give permission on them, you can also as you see below the left box select a file with cars to easily select a set of cars. Then you select which types of assignments it should give permission to (leaving this empty will not give any permissions). You can also check the checkbox "Reset user permission" to replace the roles of the selected user instead of adding new to the current ones.
* "Give this user permission to all assignments on Car" is quite self explanatory and is to give assignment permission on one or many cars. The dialog will look like illustration 55. In the left box you select cars and move them to the right to give permission on them, you can also as you see below the left box select a file with cars to easily select a set of cars. Then you select which types of assignments it should give permission to (leaving this empty will not give any permissions). You can also check the checkbox "Reset user permission" to replace the roles of the selected user instead of adding new to the current ones.
* "Give this user permission to all assignments on WCU" is identical to the previous button except that it applies to WCUs instead of Cars.
* "Give this user permission to all assignments on WCU" is identical to the previous button except that it applies to WCUs instead of Cars.
=== Permission to specific assignments ===
The above text discuss permissions as they are found from the User panel. There are also a set of "implicit" permissions created when a new assignment is created, based on the assignment type permission discussed above. Let elaborate a bit on this to make it clear what is means. The use case is as follows; a user has a read assignment permission on a WCU (wcu:assignment:soh:read:awcu). A new state-of-health assignment is created on the WCU ''awcu'' while the user has this permission. Regardless of who created the assignment, the user will now be able to list this assignment in the Tasks panel and download any data produced. Later, as time goes by, the WCU is no longer used in the particular project and an administrator removes the permission wcu:assignment:soh:read:awcu from the user. When new assignments are created on this WCU our user above will not be able to see the new assignments created in the Tasks panel. However, the user will be able to see the previous assignment, i.e. when the user had the correct permission. Thus, this solution enables users to retain the permission to see historical assignments, lets call this a '''historical assignment permission'''. This type of permission cannot be seen in the permission panel. To see who has access to which '''historical assignments''' you must turn to the Task panel.
{{DEFAULTSORT:Rolas and Permissions}}
{{DEFAULTSORT:Rolas and Permissions}}

Revision as of 16:04, 24 October 2018

In order to restrict access to resources and functions in the portal, there is a framework using roles and permissions. Permissions are given on a set of resources. These permissions are grouped into roles, and roles are then attached to one or several users to be granted specific permissions.

Illustration 51: The edit roles and permissions dialog.

The “Edit roles and permission” dialog can be seen in Illustration 51. It consists of three tables. The top left table holds a list of the roles, the top right holds the user(s) for the selected role and the bottom one hold the selected role's permissions. Their size is adjustable and you can minimize them by clicking on the line between them.

You add a new role by pressing the button “Add role” and delete a role along with its permissions by pressing the red button next to it. When making a role you add a description and unique name. To edit an already existing role, double click the entry you wish to edit.

When you select a role in the top left table, the lower table shows that specific role's permissions and the upper right table shows which users have that role. The permissions table consists of two columns, a string that is the actual permission and the set of resources that apply to that permission. In the illustration to the right there is only one resource but there can be a list of resources and resource groups that the permission applies to.

Creating and editing roles and permissions

Illustration 52: Creating a new permission

To create a new permission press the “Add permission” button. It opens the following interaction depicted in illustration 52.

Illustration 53: Editing assignment permissions
  1. Select what kind of permission you want. There are eight different permissions, seven for WCUs and one to give permission to all assignments (the assignment permission can not be modified).The permissions for WCUs are:
    1. Assignment. Controls if a user is permitted to create/see assignments of a specific type on a WCU. More what this means is discussed below in "Permission to specific assignments"
    2. Configuration. This permission controls whether you are allowed to work with a WCU's configuration.
    3. Module. The permission controls the access to individual module configurations on a WCU. An example of a module is Signal reader.
    4. Monitor. An assignment can have a monitor function to report data in real time. In order to see the real time data the user must have this permission.
    5. Plot route. To see a historic GPS track of a WCU a user must have this permission.
    6. Position. Allows a user to see a WCU's current position.
    7. View. This permission applies to the Vehicles tab. It has to do with whether you are allowed to list a WCU in the table. Selecting this subtype makes the subtype type part unnecessary and therefore, it is removed if you choose this resource type.
  2. Choosing if the permission should be a read and/or write permission. One of these have to be selected or you will not be able to save changes.
  3. Selecting which resources that apply to the permission. The selection is made using the two tables you see in Illustration 53. To select a resource, which can be a resource group, you enter the name of the resource in the left table filter area. As you type, the table is automatically filled with resources matching the criteria. If a resource is part of a resource group the icon to the left is shown. If you hold the mouse over the resource name you will see which resource group it is part of. If you instead see the icon shown to the left, the resource is a resource group. Holding the mouse over the entry will show you which resources are part of the resource group. To select a resource, drag it over to the right table or select the resource and then press the right-arrow. To deselect a resource, drag it to the left table or press the left-arrow. There is a “Select all” option. It selects all current and future resources to which this permission should be applied.
  4. Set what type of assignments the permission applies to. It is automatically set to have all selected but you can unselect all and selecting other assignments. This option is only availible on the assignment, monitor and module permission. It corresponds to the set of available modules for a WCU.

When you are done press "Save changes" or "Reset changes" if you want to revert the changes. You can always edit the permission by selecting it in the table. The dialog described above will show and you can make your changes, except that you can not change what type of assignment it is.

Changing a users roles and permissions

You can change a user's roles under in the edit user dialog if you press the button "Edit user roles". The edit user dialog then gets extended as two boxes appear, a left one with available roles and a right one with current roles. In the left one you can search the role(s) you want and drag them to the right box or press the button pointing right. With the two buttons at the bottom corner(the paper and clipboard ones) you can copy the names of the roles and also insert the names of roles to add them.

You can also change a users permission to view tasks in the tasks tab. By right-clicking the permission(s) you want to change permissions one and going to "Permission" you will get the options "Show who can see assignment" and "Add who can see assignment". "Show who can see assignment" will open a window with a left and a right box where the left contains users without permission to view the assignment and the right contains users who have permission. By moving users from the left to right and vice versa you can give or remove someones permission. You can also press the clipboard the the right bottom to copy the users who have permissions or add users by writing their name within parentheses. Users in the right box can be unselectable and that is if they have a role giving them the permission to view that assignment the only way to remove that is to remove that role from them. "Add who can see assignment" works the same way as "Show who can see assignment" except that the right box does not show users with permission so you can not remove permissions, this is so that with add you can add permissions for many assignments at the same time as the show can not show users from many assignments.

Illustration 54: Copy user assignment permissions dialog

You can also edit a users role by searching for user(s) and right clicking on them to get a window with different options. There are five different options where the three first can be used on multiple users at the same time while the bottom two can not.

  • "Add user assignment permissions to this user" will open the dialog shown in illustration 54. With this button you take a users assignment permissions and add them to the selected user(s). You do this by searching and selecting a user and then pressing "OK".
  • "Replace user assignment permissions with user" will open a similar dialog to illustration 54. This button i much like the one before except that instead of adding permissions to the current this replaces the permissions that the selected user(s) have. Here you also search the user whose permissions you want to replace the select them and press "OK".
  • "Copy user roles to this user" will open a similar dialog to illustration 54. This button instead of replacing permissions replace selected user(s) roles with the roles of a user who you chose. Search the user whose roles you want to copy for replacement and press "OK".
    Illustration 55: Give permission on car dialog
  • "Give this user permission to all assignments on Car" is quite self explanatory and is to give assignment permission on one or many cars. The dialog will look like illustration 55. In the left box you select cars and move them to the right to give permission on them, you can also as you see below the left box select a file with cars to easily select a set of cars. Then you select which types of assignments it should give permission to (leaving this empty will not give any permissions). You can also check the checkbox "Reset user permission" to replace the roles of the selected user instead of adding new to the current ones.
  • "Give this user permission to all assignments on WCU" is identical to the previous button except that it applies to WCUs instead of Cars.

Permission to specific assignments

The above text discuss permissions as they are found from the User panel. There are also a set of "implicit" permissions created when a new assignment is created, based on the assignment type permission discussed above. Let elaborate a bit on this to make it clear what is means. The use case is as follows; a user has a read assignment permission on a WCU (wcu:assignment:soh:read:awcu). A new state-of-health assignment is created on the WCU awcu while the user has this permission. Regardless of who created the assignment, the user will now be able to list this assignment in the Tasks panel and download any data produced. Later, as time goes by, the WCU is no longer used in the particular project and an administrator removes the permission wcu:assignment:soh:read:awcu from the user. When new assignments are created on this WCU our user above will not be able to see the new assignments created in the Tasks panel. However, the user will be able to see the previous assignment, i.e. when the user had the correct permission. Thus, this solution enables users to retain the permission to see historical assignments, lets call this a historical assignment permission. This type of permission cannot be seen in the permission panel. To see who has access to which historical assignments you must turn to the Task panel.