Roles can be regarded as distinct tasks or activities of an application. They are defined during development, as it requires detailed knowledge of the application's functionality.
It is important for the developer to closely assess the tasks or activities, so that there is as little overlap in rights between different roles as possible. Furthermore, the nomenclature of the roles must be clear for the IAM administrators responsible for setting up the authorization of an application. They have no knowledge of the functionality and therefore have to deduce the purpose of the roles from the role name and description.
Roles are often named after the corresponding activity, such as Approve hours or Report a ticket.
Roles can be added or modified using the Roles screen.
To create a new role, click the Add button on the Role's tab page. Add a name and description to the role and click Save.
Only use the All rights option for the administrator role. All other roles should provide a minimum set of rights required for the corresponding task or feature.
Create a role
Once a role has been created, it can be configured using the tab pages on the right.
To assign rights to a role, select the required objects and click the Assign rights task. Select a preset or check the rights you want to assign to the object.
The Assign rights task also provides the option to assign rights to any child objects, for example the columns and details of a table, and to the parent objects required for this object, for example a task for its task parameters.
Assign rights task
The Available checkbox, visible in the grid for certain objects, indicates if the required rights are granted to the parent objects of the selected object.
Hidden, read-only, full rights or unauthorized
The colored icons indicate the resolved rights of an object, based on the granted rights and the availability.
- Full rights (editable): the user has full rights to see, add, edit and delete data in the column.
- Read-only: the user can see the data but has no rights to add, edit or delete data in the column.
- Visually hidden: the user can't see the data in the user interface, which is quite safe, but in some cases the data might still be approached through Indicium.
- Unauthorized (no rights): the data is unknown to the user interface and any API, so it's impossible for the user to see the data or to approach the column through Indicium. This is the safest option when it comes to data security in general and to protect sensitive data in accordance with GDPR laws.
To get a better understanding of the Effective access type, select the row and press the Explain the effective access type task .
To fully anonymize data, see: Data sensitivity.
Full rights, read-only and hidden can be applied by combining two settings. The first is the Column type in the data model (menu Data - Data model - tab Tables - tab Columns). The second is the Access type (menu Access control - Roles - tab Tables/Reports/Tasks).
For columns, the option Unauthorized is set automatically by the Software Factory. It also combines the Column type and Access type to decide whether a column is unauthorized: if either the Column type or the Access type is hidden, the column will automatically get 'Unauthorized' as Effective access type.
Unauthorized task and report parameters
The same applies to task and report parameters. The first setting the Software Factory uses is the Column type used in the Task parameter or Report parameter (menu Processes - Tasks/Reports - tab Task parameters/Report parameters). The second setting is the parameter's Access type (menu Access control - Roles - tab Tasks/Reports - tab Task parameters/Report parameters). If either the Column type in a task or report parameter or the Access type applied to the task or report parameter is hidden, the column will automatically get 'Unauthorized' as Effective access type.
Unauthorized report parameter
Exceptions (never unauthorized)
There are a few exceptions to these rules however. In some instances a column will never be unauthorized but only hidden because making data unauthorized would break the user interface:
- A role is an administrator role with All rights assigned to it.
- A column is used as a primary key.
- A column is used as the primary look-up display column.
- A column is used as a conditional layout target.
- A column is used as a conditional layout condition.
- A column is used by any extender in any way, shape or form.
- A column is used in a tree for grouping (parent or child), display or icon (base or variant).
- A column is used in default sorting of a variant default sorting.
- A column is used by another column in the same role as look-up display field.
- A column is used by a granted cube field in the same role.