Versions Compared

Old Version 36

changes.mady.by.user Simone De Kleermaeker

Saved on

compared with

New Version Current

changes.mady.by.user Onno van den Akker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
maxLevel43

General

Permissions can be added to control which user groups (and therefore which users) can see displays and nodes in the GUI:

  • Explorer.xml, <permission>: explorer tasks (displays), such as the Time Series Dialog or the Grid Display. Tasks will not be visible in the menus or toolbar.
  • Topology.xml, <viewPermission>: tasks (nodes) in the Forecast Tree
  • GridDisplay.xml, <viewPermission>: displays (nodes) in the Spatial Display
  • Filters.xml, <viewPermission>: filters (nodes) in the Data Viewer
  • DisplayGroups.xml, <viewPermission>: shortcuts (listed under the Star icon) in the Time Series Display 
  • webOperatorClient.xml, <viewPermission>: components (displays) in the WebOC

Permissions can also restrict which user groups can do certain things in the GUI:

  • TimeSeriesDisplayConfig.xml, add and edit in the Data Editor Display of
    • values, with <valueEditorPermission>
    • labels, with <labelEditorPermission>
    • comments, with <commentEditorPermission>
  • WorkflowDescriptors.xml: manipulate workflows in the Forecast Dialog and Manual Forecast Dialog.
    NOTE: Permissions on workflows will be applied throughout the application, e.g. the Scenario Editor and Task Run Display. 
    • view, with <viewPermission>
    • run, with <runPermission>
    • approve, with <approvePermission>
    • delete and change expiry times, with <deletePermission>
  • ScenarioEditor.xml: create, edit, delete, persist and run scenarios in the scenario editor window

...

You need to configure at least 3 files to set-up permissions:

  • Define <userGroup> 's (1 or multiple) in SystemConfigFiles/UserGroups.xml and assign them <user> id's.IDs.
    • userGroups can be nested
    • Alternatively, you can assign users to userGroups in the Admin Interface: Users#EditUser
  • Define <permission> (1 or multiple) Define <permission>'s in SystemConfigFiles/Permissions.xml and assign them <userGroup> id's1 or multiple <userGroup> IDs.
  • Include permission configuration in any or all of the above listed configuration files, using the <permission> IDs.


Info
titleDisable permissions (Stand Alone)

Note: if you want to disable permissions in a Stand Alone version (for example in a WaterCoach application), you can simply remove or rename the (e.g. the WaterCoach), simply remove/rename Permissions.xml and UserGroups.xml files. This will result in warnings where you have configured viewPermissions, however .
With these files missing, Delft-FEWS will lift all restrictions to viewing if these files are missing. This work-around only works in a Stand Alone application. In the live system you can not (and should not want to) remove these files locally, since they are stored and managed in the Central Database.related to viewPermissions. You can ignore any warnings regarding configured viewPermissions.


Info
titleFEWS Web Services Security with Open ID Connect

Note: you can integrate the userGroups and Permissions configuration with Open ID: FEWS Web Services Security with Open ID Connect


Permissions.xml

When available on the file system, the name of the XML file is Permissions.xml

...

Unique name of the permission

...

userGroup

Id of each usergroup userGroup that is granted the given permission

Code Block
xml
xml
titlePermissions 1.00 default.xml
<?xml version="1.0" encoding="UTF-8"?>
<permissions xmlns=".....">
	<permission id="AllowDataEditor">
		<userGroup id="Hydroloog"/>
		<userGroup id="Veldmedewerker"/>
	</permission>
	<permission id="AllowManualForecast">
		<userGroup id="Hydroloog"/>
	</permission>
	<permission id="AllowLabelEditor">
		<userGroup id="Hydroloog"/>
	</permission>
	<permission id="AllowCommentEditor">
		<userGroup id="Hydroloog"/>
		<userGroup id="Veldmedewerker"/>
	</permission>
	<permission id="AllowValueEditor">
		<userGroup id="Hydroloog"/>
	</permission>
</permissions>


With the enabled attribute you can make a permission only available for certain globalProperties.xml/clientConfig.xml (OC/Webservice)

Code Block
xml
xml
titlePermissions 1.00 default.xml
<?xml version="1.0" encoding="UTF-8"?>
<permissions xmlns=".....">
	<permission id="FEWS_SA" enabled="$PROP_SA$">
		<userGroup id="OC_DataEditor"/>
		<userGroup id="OC_Forecaster"/>
		<userGroup id="OC_SuperUser"/>
		<userGroup id="OC_Configurator"/>
	</permission
<permissions xmlns=".....">

userGroups.xml

When available on the file system, the name of the XML file is Usergroups.xml.  


Figure 4 Elements in the Usergroups configuration


userGroup

Base tag for a userGroup configure one for each user group. A userGroup can contain three types of sub-items:

...

Code Block
titleUserGroups 1.00 default.xml
<?xml version="1.0" encoding="UTF-8"?>
<userGroups xmlns="....">
  <userGroup id="Veldmedewerker">
    <user id="Stephan Zuiderwijk" />
    <user id="Marc van Dijk"/>
  </userGroup>
  <userGroup id="Hydroloog">
    <user id="Toon van Peel"/>
  </userGroup>
  <userGroup id="SystemUsers">
    <systemUserGroup id="DOMAIN\userid"/>
  </userGroup>
</userGroups>

Examples of permissions in the configuration

...

Explorer.xml

Code Block
xml
xml
titleExplorer 1.00 default.xml
.... 		<explorerTask name="Forecast Management">
			<predefinedDisplay>forecast management</predefinedDisplay>
			<toolbarTask>true</toolbarTask>
			<menubarTask>true</menubarTask>
			<accelerator>ctrl F</accelerator>
    		<permission>AllowDataForecasting</permission> 
		</explorerTask>
....

...

TimeSeriesDisplayConfig.xml

Code Block
xml
xml
titleTimeSeriesDisplayConfig 1.00 default.xml
....
	<generalDisplayConfig>
		<convertDatum>true</convertDatum>
		<valueEditorPermission>AllowValueEditor</valueEditorPermission>
		<labelEditorPermission>AllowLabelEditor</labelEditorPermission>
		<commentEditorPermission>AllowCommentEditor</commentEditorPermission>
	</generalDisplayConfig>
....

...