Versions Compared

Old Version 29

changes.mady.by.user Erik de Rooij

Saved on

compared with

New Version Current

changes.mady.by.user Onno van den Akker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Section
bordertrue


Column
width50%


What

Permissions.xml

Config group

SystemConfigFiles

Required

no

Description

Set permissions for user groups

schema location

http

https://

fews

fewsdocs.

wldelft

deltares.nl/schemas/version1.0/permissions.xsd



Column
width50%


What

UserGroups.xml

Config group

SystemConfigFiles

Required

no

Description

Define user groups

schema location

http

https://

fews

fewsdocs.

wldelft

deltares.nl/schemas/version1.0/userGroups.xsd



Table of Contents
maxLevel3

General

Permissions can be added to the FEWS configuration to allow users (control which user groups ) to access Explorer tasks, Data Editor functions, Filters, etc..  Permissions can be optionally configured in the following configuration files(and therefore which users) can see displays and nodes in the GUI:

  • Explorer.xmlRestrict access to , <permission>: explorer tasks (displays), such as the Time Series Dialog or the Grid Display. The tasks Tasks will not be available visible in the menus or toolbar for users which do not have the right permissions
  • TimeSeriesDisplayConfig.xml
    • Control who can add and edit values in the data editor window
    • Control who can add and edit labels in the data editor window
    • Control who can add and edit comments in the data editor window
  • ScenarioEditor.xml
    • Control who can create, edit, delete, persist and run scenarios in the scenario editor window
  • GridDisplay.xml
    • Control which displays are visible in the spatial plot window for the current user
  • Filters.xml
    • Control which filters are visible in the FEWS explorer for the current user
  • DisplayGroups.xml
    • Control which shortcuts are visible in the Time Series Display for the current user
  • .
  • Topology.xml, <viewPermission>: tasks (nodes) in the Forecast Tree
  • GridDisplay.xml, <viewPermission>: displays (nodes) in the Spatial Display
  • Filters.xml, <viewPermission>: filters (nodes) in the Data Viewer
  • DisplayGroups.xml, <viewPermission>: shortcuts (listed under the Star icon) in the Time Series Display 
  • webOperatorClient.xml, <viewPermission>: components (displays) in the WebOC

Permissions can also restrict which user groups can do certain things in the GUI:

  • TimeSeriesDisplayConfig.xml, add and edit in the Data Editor Display of
    • values, with <valueEditorPermission>
    • labels, with <labelEditorPermission>
    • comments, with <commentEditorPermission>
  • WorkflowDescriptors.xml: manipulate WorkflowDescriptors.xmlControl which users can view, run and approve workflows in the Forecast Dialog and Manual Forecast Dialog.
    NOTE: Permissions on workflows will be applied throughout the application, e.g. the Scenario Editor and Task Run Display. 
    • view, with <viewPermission>
    • run, with <runPermission>
    • approve, with <approvePermission>
    • delete Also control which users can delete forecasts and change expiry times of forecasts in the Forecast Dialog.
    • NOTE: Using permissions on workflows indirectly influences the behaviour of the scenario editor window. Scenario's, based on hidden or non-runnable workflows are not shown in the scenario editor.

Permissions are to be configured as follows

  • Configure optional permission names in any of the above described configuration files.
  • Create the permissions in the permissions configuration file (Permissions 1.00 default.xml) and configure usergroup names which should have access to the permissions.
  • Create the usergroups in in the usergroup configuration file (Usergroups 1.00 default.xml) and assign them user names.

Configure optional permission names

This can be achieved by adding the optional permission tag to the configuration and give it a self-describing name.

    • , with <deletePermission>
  • ScenarioEditor.xml: create, edit, delete, persist and run scenarios in the scenario editor window

Configuration of permissions

You need to configure at least 3 files to set-up permissions:

  • Define <userGroup> (1 or multiple) in SystemConfigFiles/UserGroups.xml and assign them <user> IDs.
    • userGroups can be nested
    • Alternatively, you can assign users to userGroups in the Admin Interface: Users#EditUser
  • Define <permission> (1 or multiple) in SystemConfigFiles/Permissions.xml and assign them 1 or multiple <userGroup> IDs.
  • Include permission configuration in any or all of the above listed configuration files, using the <permission> IDs.


Info
titleDisable permissions (Stand Alone)

Note: to disable permissions in a Stand Alone (e.g. the WaterCoach), simply remove/rename Permissions.xml and UserGroups.xml.
With these files missing, Delft-FEWS will lift all restrictions related to viewPermissions. You can ignore any warnings regarding configured viewPermissions.


Info
titleFEWS Web Services Security with Open ID Connect

Note: you can integrate the userGroups and Permissions configuration with Open ID: FEWS Web Services Security with Open ID Connect


Permissions.xml

...

When available on the file system, the name of the XML file is for example:      Permissions 1.00 default.xml

      Permissions                             Fixed file name for the permissions configuration

      1.00                                        Version number

      default                                     Flag to indicate the version is the default configuration (otherwise omitted).


Figure 3 Elements in the Permissions configuration

Permission

Unique name of the permission

userGroup

Id of each userGroup that is granted the given permission

Code Block
xml
xml
titlePermissions 1.00 default.xml
<?xml version="1.0" encoding="UTF-8"?>
<permissions xmlns=".....">
	<permission id="AllowDataEditor">
		<userGroup id="Hydroloog"/>
		<userGroup id="Veldmedewerker"/>
	</permission>
	<permission id="AllowManualForecast">
		<userGroup id="Hydroloog"/>
	</permission>
	<permission id="AllowLabelEditor">
		<userGroup id="Hydroloog"/>
	</permission>
	<permission id="AllowCommentEditor">
		<userGroup id="Hydroloog"/>
		<userGroup id="Veldmedewerker"/>
	</permission>
	<permission id="AllowValueEditor">
		<userGroup id="Hydroloog"/>
	</permission>
</permissions>
Permission

Unique name of the permission

Usergroup

Id of each usergroup that is granted the given permission


With the enabled attribute you can make a permission only available for certain globalProperties.xml/clientConfig.xml (OC/Webservice)

Code Block
xml
xml
titlePermissions 1.00 default.xml
<?xml version="1.0" encoding="UTF-8"?>
<permissions xmlns=".....">
	<permission id="FEWS_SA" enabled="$PROP_SA$">
		<userGroup id="OC_DataEditor"/>
		<userGroup id="OC_Forecaster"/>
		<userGroup id="OC_SuperUser"/>
		<userGroup id="OC_Configurator"/>
	</permission
<permissions xmlns=".....">

userGroups.xml

...

When available on the file system, the name of the XML file is for example:      Usergroups 1.00 default.xml

      Usergroups                             Fixed file name for the user group configuration

      1.00                                        Version number

      default                                     Flag to indicate the version is the default configuration (otherwise omitted).

xml.  

Image Added
Figure 4 Elements in the Usergroups configuration


userGroup

Base tag for a userGroup configure one for each user group. A userGroup can contain three types of sub-items:

  • user: id of the user that is executing the process
  • userGroup: a reference a different userGroup. UserGroup's can be nested.
  • systemUserGroup: a fully qualified domain user or domain group. If the executing user is member of the specified system user group then the permissions assigned to this group are applied.

User

id of the user that belongs to the userGroup. Users can be placed in multiple userGroups.Image Removed
Figure 4 Elements in the Usergroups configuration

Code Block
titleUserGroups 1.00 default.xml
<?xml version="1.0" encoding="UTF-8"?>
<userGroups xmlns="....">
  <userGroup id="Veldmedewerker">
    <user id="Stephan Zuiderwijk" />
    <user id="Marc van Dijk"/>
  </userGroup>
  <userGroup id="Hydroloog">
    <user id="Toon van Peel"/>
  </userGroup>
  <userGroup id="SystemUsers">
    <user<systemUserGroup systemUserGroupid="DOMAIN\userid"/>
  </userGroup>
</userGroups>
Usergroup

Base tag for a usergroup configure one for each user group. Usergroups can contain other usergroups. A user group can contain three types of sub-items:

user id = This is the id of the user that is executing the process.

group id = This is a link to an other user group

systemUserGroup = This is fully qualified domain user or domain group. If the executing user is member of the specified system user group then the permissions  assigned to this group are applied.

User

Name of the user that belongs to the usergroup. Users can be placed in multiple usergroups.

...

Explorer

...

.xml

Code Block
xml
xml
titleExplorer 1.00 default.xml
....
 		<explorerTask name="DataForecast EditorManagement">
		<iconFile>%FEWSDIR%/icons/table.gif</iconFile>
		<mnemonic>E</mnemonic>
		<arguments>table</arguments>
		<taskClass>nl.wldelft.fews.gui.plugin.timeseries.TimeSeriesDialog</taskClass>
		<toolbarTask>false<<predefinedDisplay>forecast management</predefinedDisplay>
			<toolbarTask>true</toolbarTask>
			<menubarTask>true</menubarTask>
			<accelerator>ctrl E<F</accelerator>
    		<permission>AllowDataEditor<<permission>AllowDataForecasting</permission> 
		</explorerTask>
....

TimeSeriesDisplayConfig.xml

Code Block
xml
xml
titleTimeSeriesDisplayConfig 1.00 default.xml
....
	<generalDisplayConfig>
		<convertDatum>true</convertDatum>
		<valueEditorPermission>AllowValueEditor</valueEditorPermission>
		<labelEditorPermission>AllowLabelEditor</labelEditorPermission>
		<commentEditorPermission>AllowCommentEditor</commentEditorPermission>
	</generalDisplayConfig>
....

...