WebOffice usermanagement Rights

<< Click to show table of contents >>

WebOffice usermanagement rights repository supports two approaches for implementing role base access rights:

•Rights inheritance

•Rights aggregation

You may either use the first or the second approach.

It is not recommended to mix both approaches since it will be hard for administrators to check effective user rights then.

Additionally, some properties lead to a choice of role if the user is member of multiple groups. See the bottom of the chapter for details.

Rights Inheritance

A user group may have a parent group. The user group will inherit rights (e.g. group rights for projects) and restrictions from its parent group.

Rights Aggregation

One user may have multiple roles, respectively can be member of multiple user groups. The rights of each of the roles then get aggregated (logical OR operator is used).

In order to understand the rights aggregation of WebOffice usermanagement, it is important to understand that there are 3 statuses:

A. Restriction with defined restriction rules

B. Restriction with NO restriction rules = right

C. No restriction

If a user is member of several groups, the right aggregation works like this:

A+A=A

A+B=B

A+C=A

B+C=B

A+B+C=B

Example for Restrictions for Layers:

Case A: Restriction with defined restriction rules - functional restrictions (no display, no spatial selection/identify, no attributive search, no editing). The group Users" is not allowed to use the layer "Points of Interest (Edit)". Every disabled functionality is marked with a

Look in Effective Layer Rights:

Restriction on layer - Case A

Case B: Restriction with NO restriction rules = right - explicit functional rights and assigned attributive filter. The group "Editors" has explicit rights to display, select/identify, search and edit the layer "Properties (Edit)", indicated by the . The user group "Users", on the other hand, is not allowed to use the same layer in any way.

Look in Effective Layer Rights:

Restriction with no restriction = right on layer - Case B

Case C: No restriction - no restriction created or attributive filter assigned. For the layer "Emergency" no restrictions have been defined at all.

Look in Effective Layer Rights:

No restriction on Layer - Case C

Example for Restrictions for Map Views:

Case A: Restriction with defined restriction rule - restricted map view

Look in Effective Group Rights:

Restriction map view - Case A

Case B: Restriction with NO restriction rules = right - not restricted map view

Look in Effective Group Rights:

Restriction with no restriction = right on map view - Case B

Case C: No restriction - no restriction created.

Look in Effective Group Rights:

No restriction on map view - Case C

Choice of Role

The user will have to decide which group/role he will use to access a WebOffice 10.9 R4 project, whenever the following conditions are met:

•A user is member of more than one group

•Those groups differ in specific configuration properties, listed below

Properties that cause the user to select a specific group/role when entering a WebOffice 10.9 R4 project:

•Client-ID

•Map View

Select a group/role to access a WebOffice project

•The choice of a specific group is not available if an user is member of different groups to which different print profiles have been assigned, but only one of these groups contains explicit information in the print profile. In this case, when entering a WebOffice 10.9 R4 project, the group that contains the explicit information in the print profile is automatically used. Example:

Group A has been assigned the print profile A with a configured attribute (e.g. company logo)

Group B has been assigned the print profile B, which has NO configured attributes

-> When entering a WebOffice 10.9 R4 project, no group selection appears. Instead, the user is logged on with group A because this group contains a print profile with explicit information.

•The choice of a specific group is not available if an user is a member of different groups, but only one of these groups has been assigned a corresponding initial extent. In this case, when entering a WebOffice 10.9 R4 project, the group that has been assigned the initial extent is automatically used. Example:

Group A has rights to Project A with a corresponding initial extent

Group B has rights to Project A without an initial extent

-> When entering a WebOffice 10.9 R4 project, no group selection appears. Instead, the user is logged on with group A because this group has been assigned an initial extent.