View Source

What	Permissions.xml
Config group	SystemConfigFiles
Required	no
Description	Set permissions for user groups
schema location	https://fewsdocs.deltares.nl/schemas/version1.0/permissions.xsd

What	UserGroups.xml
Config group	SystemConfigFiles
Required	no
Description	Define user groups
schema location	https://fewsdocs.deltares.nl/schemas/version1.0/userGroups.xsd

General

Permissions can be added to control which user groups (and therefore which users) can see displays and nodes in the GUI:

Explorer.xml, <permission>: explorer tasks (displays), such as the Time Series Dialog or the Grid Display. Tasks will not be visible in the menus or toolbar.
Topology.xml, <viewPermission>: tasks (nodes) in the Forecast Tree
GridDisplay.xml, <viewPermission>: displays (nodes) in the Spatial Display
Filters.xml, <viewPermission>: filters (nodes) in the Data Viewer
DisplayGroups.xml, <viewPermission>: shortcuts (listed under the Star icon) in the Time Series Display
webOperatorClient.xml, <viewPermission>: components (displays) in the WebOC

Permissions can also restrict which user groups can do certain things in the GUI:

TimeSeriesDisplayConfig.xml, add and edit in the Data Editor Display of
- values, with <valueEditorPermission>
- labels, with <labelEditorPermission>
- comments, with <commentEditorPermission>
WorkflowDescriptors.xml: manipulate workflows in the Forecast Dialog and Manual Forecast Dialog.
NOTE: Permissions on workflows will be applied throughout the application, e.g. the Scenario Editor and Task Run Display.
- view, with <viewPermission>
- run, with <runPermission>
- approve, with <approvePermission>
- delete and change expiry times, with <deletePermission>
ScenarioEditor.xml: create, edit, delete, persist and run scenarios in the scenario editor window

Configuration of permissions

You need to configure at least 3 files to set-up permissions:

Define <userGroup> (1 or multiple) in SystemConfigFiles/UserGroups.xml and assign them <user> IDs.
- userGroups can be nested
- Alternatively, you can assign users to userGroups in the Admin Interface: Users#EditUser
Define <permission> (1 or multiple) in SystemConfigFiles/Permissions.xml and assign them 1 or multiple <userGroup> IDs.
Include permission configuration in any or all of the above listed configuration files, using the <permission> IDs.

Note: to disable permissions in a Stand Alone (e.g. the WaterCoach), simply remove/rename Permissions.xml and UserGroups.xml.
With these files missing, Delft-FEWS will lift all restrictions related to viewPermissions. You can ignore any warnings regarding configured viewPermissions.

Note: you can integrate the userGroups and Permissions configuration with Open ID: FEWS Web Services Security with Open ID Connect

Permissions.xml

When available on the file system, the name of the XML file is Permissions.xml

DELFT-FEWS Documentation > 07 Permissions > fig3.png
Figure 3 Elements in the Permissions configuration

Permission

Unique name of the permission

userGroup

Id of each userGroup that is granted the given permission

<?xml version="1.0" encoding="UTF-8"?>
<permissions xmlns=".....">
	<permission id="AllowDataEditor">
		<userGroup id="Hydroloog"/>
		<userGroup id="Veldmedewerker"/>
	</permission>
	<permission id="AllowManualForecast">
		<userGroup id="Hydroloog"/>
	</permission>
	<permission id="AllowLabelEditor">
		<userGroup id="Hydroloog"/>
	</permission>
	<permission id="AllowCommentEditor">
		<userGroup id="Hydroloog"/>
		<userGroup id="Veldmedewerker"/>
	</permission>
	<permission id="AllowValueEditor">
		<userGroup id="Hydroloog"/>
	</permission>
</permissions>

With the enabled attribute you can make a permission only available for certain globalProperties.xml/clientConfig.xml (OC/Webservice)

<?xml version="1.0" encoding="UTF-8"?>
<permissions xmlns=".....">
	<permission id="FEWS_SA" enabled="$PROP_SA$">
		<userGroup id="OC_DataEditor"/>
		<userGroup id="OC_Forecaster"/>
		<userGroup id="OC_SuperUser"/>
		<userGroup id="OC_Configurator"/>
	</permission
<permissions xmlns=".....">

userGroups.xml

When available on the file system, the name of the XML file is Usergroups.xml.

DELFT-FEWS Documentation > 07 Permissions > fig4.png
Figure 4 Elements in the Usergroups configuration

userGroup

Base tag for a userGroup configure one for each user group. A userGroup can contain three types of sub-items:

user: id of the user that is executing the process
userGroup: a reference a different userGroup. UserGroup's can be nested.
systemUserGroup: a fully qualified domain user or domain group. If the executing user is member of the specified system user group then the permissions assigned to this group are applied.

User

id of the user that belongs to the userGroup. Users can be placed in multiple userGroups.

<?xml version="1.0" encoding="UTF-8"?>
<userGroups xmlns="....">
  <userGroup id="Veldmedewerker">
    <user id="Stephan Zuiderwijk" />
    <user id="Marc van Dijk"/>
  </userGroup>
  <userGroup id="Hydroloog">
    <user id="Toon van Peel"/>
  </userGroup>
  <userGroup id="SystemUsers">
    <systemUserGroup id="DOMAIN\userid"/>
  </userGroup>
</userGroups>

Explorer.xml

.... 		<explorerTask name="Forecast Management">
			<predefinedDisplay>forecast management</predefinedDisplay>
			<toolbarTask>true</toolbarTask>
			<menubarTask>true</menubarTask>
			<accelerator>ctrl F</accelerator>
    		<permission>AllowDataForecasting</permission> 
		</explorerTask>
....

TimeSeriesDisplayConfig.xml

....
	<generalDisplayConfig>
		<convertDatum>true</convertDatum>
		<valueEditorPermission>AllowValueEditor</valueEditorPermission>
		<labelEditorPermission>AllowLabelEditor</labelEditorPermission>
		<commentEditorPermission>AllowCommentEditor</commentEditorPermission>
	</generalDisplayConfig>
....