scrollbar | ||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Section | ||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||
|
Table of Contents | ||
---|---|---|
|
General
Permissions can be added to the FEWS configuration to allow users (control which user groups ) to access Explorer tasks, Data Editor functions, Filters, etc.. Permissions can be optionally configured in the following configuration files:
- Explorer.xml
- Use of the data editor window
- Running forecasts
- TimeSeriesDisplayConfig.xml
- Add/Edit values in the data editor window
- Add/Edit lables in the data editor window
- Add/Edit comments in the data editor window
Permissions are to be configured as follows
- Configure optional permission names in any of the above described configuration files.
- Create the permissions in the permissions configuration file (Permissions 1.00 default.xml) and configure usergroup names which should have access to the permissions.
- Create the usergroups in in the usergroup configuration file (Usergroups 1.00 default.xml) and assign them user names.
Configure optional permission names
This can be achieved by adding the optional permission tag to the configuration and give it a self-describing name.
(and therefore which users) can see displays and nodes in the GUI:
- Explorer.xml, <permission>: explorer tasks (displays), such as the Time Series Dialog or the Grid Display. Tasks will not be visible in the menus or toolbar.
- Topology.xml, <viewPermission>: tasks (nodes) in the Forecast Tree
- GridDisplay.xml, <viewPermission>: displays (nodes) in the Spatial Display
- Filters.xml, <viewPermission>: filters (nodes) in the Data Viewer
- DisplayGroups.xml, <viewPermission>: shortcuts (listed under the Star icon) in the Time Series Display
- webOperatorClient.xml, <viewPermission>: components (displays) in the WebOC
Permissions can also restrict which user groups can do certain things in the GUI:
- TimeSeriesDisplayConfig.xml, add and edit in the Data Editor Display of
- values, with <valueEditorPermission>
- labels, with <labelEditorPermission>
- comments, with <commentEditorPermission>
- WorkflowDescriptors.xml: manipulate workflows in the Forecast Dialog and Manual Forecast Dialog.
NOTE: Permissions on workflows will be applied throughout the application, e.g. the Scenario Editor and Task Run Display.- view, with <viewPermission>
- run, with <runPermission>
- approve, with <approvePermission>
- delete and change expiry times, with <deletePermission>
- ScenarioEditor.xml: create, edit, delete, persist and run scenarios in the scenario editor window
Configuration of permissions
You need to configure at least 3 files to set-up permissions:
- Define <userGroup> (1 or multiple) in SystemConfigFiles/UserGroups.xml and assign them <user> IDs.
- userGroups can be nested
- Alternatively, you can assign users to userGroups in the Admin Interface: Users#EditUser
- Define <permission> (1 or multiple) in SystemConfigFiles/Permissions.xml and assign them 1 or multiple <userGroup> IDs.
- Include permission configuration in any or all of the above listed configuration files, using the <permission> IDs.
Info | ||
---|---|---|
| ||
Note: to disable permissions in a Stand Alone (e.g. the WaterCoach), simply remove/rename Permissions.xml and UserGroups.xml. |
Info | ||
---|---|---|
| ||
Note: you can integrate the userGroups and Permissions configuration with Open ID: FEWS Web Services Security with Open ID Connect |
Permissions.xml
...
When available on the file system, the name of the XML file is for example: Permissions 1.00 default.xml
Permissions Fixed file name for the permissions configuration
1.00 Version number
default Flag to indicate the version is the default configuration (otherwise omitted).
Figure 3 Elements in the Permissions configuration
Permission
Unique name of the permission
userGroup
Id of each userGroup that is granted the given permission
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<permissions xmlns=".....">
<permission id="AllowDataEditor">
<userGroup id="Hydroloog"/>
<userGroup id="Veldmedewerker"/>
</permission>
<permission id="AllowManualForecast">
<userGroup id="Hydroloog"/>
</permission>
<permission id="AllowLabelEditor">
<userGroup id="Hydroloog"/>
</permission>
<permission id="AllowCommentEditor">
<userGroup id="Hydroloog"/>
<userGroup id="Veldmedewerker"/>
</permission>
<permission id="AllowValueEditor">
<userGroup id="Hydroloog"/>
</permission>
</permissions>
|
Permission
Unique name of the permission
Usergroup
Id of each uergroup that is granted the given permission
...
With the enabled attribute you can make a permission only available for certain globalProperties.xml/clientConfig.xml (OC/Webservice)
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<permissions xmlns=".....">
<permission id="FEWS_SA" enabled="$PROP_SA$">
<userGroup id="OC_DataEditor"/>
<userGroup id="OC_Forecaster"/>
<userGroup id="OC_SuperUser"/>
<userGroup id="OC_Configurator"/>
</permission
<permissions xmlns=".....">
|
userGroups.xml
When available on the file system, the name of the XML file is for example: Usergroups 1.00 default.xml
Usergroups Fixed file name for the user group configuration
1.00 Version number
default Flag to indicate the version is the default configuration (otherwise omitted).
Figure 4 Elements in the Usergroups configuration
xml.
Figure 4 Elements in the Usergroups configuration
userGroup
Base tag for a userGroup configure one for each user group. A userGroup can contain three types of sub-items:
- user: id of the user that is executing the process
- userGroup: a reference a different userGroup. UserGroup's can be nested.
- systemUserGroup: a fully qualified domain user or domain group. If the executing user is member of the specified system user group then the permissions assigned to this group are applied.
User
id of the user that belongs to the userGroup. Users can be placed in multiple userGroups.
Code Block | ||||
---|---|---|---|---|
Code Block | ||||
| ||||
<?xml version="1.0" encoding="UTF-8"?> <userGroups xmlns="...."> <userGroup id="Veldmedewerker"> <user id="Stephan Zuiderwijk" /> <user id="Marc van Dijk"/> </userGroup> <userGroup id="Hydroloog"> <user id="Toon van Peel"/> </userGroup> <userGroup id="SystemUsers"> <systemUserGroup id="DOMAIN\userid"/> </userGroups> |
Usergroup
Base tag for a usergroup configure one for each user group. Usergroups can contain other usergroups.
User
Name of the user that belongs to the usergroup. Users can be placed in multiple usergroups.
...
userGroup>
</userGroups>
|
Explorer.xml
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
.... <explorerTask name="DataForecast EditorManagement"> <iconFile>%FEWSDIR%/icons/table.gif</iconFile> <mnemonic>E</mnemonic> <predefinedDisplay>forecast management</predefinedDisplay> <arguments>table</arguments> <taskClass>nl.wldelft.fews.gui.plugin.timeseries.TimeSeriesDialog</taskClass> <toolbarTask>false</toolbarTask> <toolbarTask>true</toolbarTask> <menubarTask>true</menubarTask> <accelerator>ctrl E<F</accelerator> <permission>AllowDataEditor<<permission>AllowDataForecasting</permission> </explorerTask> .... |
TimeSeriesDisplayConfig.xml
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
....
<generalDisplayConfig>
<convertDatum>true</convertDatum>
<valueEditorPermission>AllowValueEditor</valueEditorPermission>
<labelEditorPermission>AllowLabelEditor</labelEditorPermission>
<commentEditorPermission>AllowCommentEditor</commentEditorPermission>
</generalDisplayConfig>
....
|
...