WebOffice usermanagement Rights

WebOffice usermanagement rights repository supports two approaches for implementing role base access rights:

Rights inheritance

Rights aggregation

You may either use the first or the second approach.

 

icon_comment

It is not recommended to mix both approaches since it will be hard for administrators to check effective user rights then.

 

Additionally, some properties lead to a choice of role if the user is member of multiple groups. See the bottom of the chapter for details.

 

Rights Inheritance

A user group may have a parent group. The user group will inherit rights (e.g. group rights for projects) and restrictions from its parent group.

 

Rights Aggregation

One user may have multiple roles, respectively can be member of multiple user groups. The rights of each of the roles then get aggregated (logical OR operator is used).

In order to understand the rights aggregation of WebOffice usermanagement, it is important to understand that there are 3 statuses:

A. Restriction with defined restriction rules

B. Restriction with NO restriction rules = right

C. No restriction

 

If a user is member of several groups, the right aggregation works like this:

A+A=A

A+B=B

A+C=A

B+C=B

A+B+C=B

 

Example for Restrictions for Layers:

Case A: Restriction with defined restriction rules - functional restrictions (no display, no spatial selection/identify, no attributive search, no editing). The group Users" is not allowed to use the layer "Points of Interest (Edit)". Every disabled functionality is marked with a um_USERMANAGEMENT_Rights0a

Look in Effective Layer Rights:

 

Restriction on layer - Case A 

Restriction on layer - Case A 

 

Case B: Restriction with NO restriction rules = right - explicit functional rights and assigned attributive filter. The group "Editors" has explicit rights to display, select/identify, search and edit the layer "Properties (Edit)", indicated by the um_USERMANAGEMENT_Rights0b. The user group "Users", on the other hand, is not allowed to use the same layer in any way.

Look in Effective Layer Rights:

 

Restriction with no restriction = right on layer - Case B

Restriction with no restriction = right on layer - Case B

 

Case C: No restriction - no restriction created or attributive filter assigned. For the layer "Emergency" no restrictions have been defined at all.

Look in Effective Layer Rights:

 

No restriction on Layer - Case C

No restriction on Layer - Case C

 

Example for Restrictions for Map Views:

Case A: Restriction with defined restriction rule - restricted map view

Look in Effective Group Rights:

 

Restriction map view - Case A 

Restriction map view - Case A 

 

Case B: Restriction with NO restriction rules = right - not restricted map view

Look in Effective Group Rights:

 

Restriction with no restriction = right on map view - Case B

Restriction with no restriction = right on map view - Case B

 

Case C: No restriction - no restriction created.

Look in Effective Group Rights:

 

No restriction on map view - Case C

No restriction on map view - Case C

 

Choice of Role

The user will have to decide which group/role he will use to access a WebOffice 10.9 SP1 project, whenever the following conditions are met:

A user is member of more than one group

Those groups differ in specific configuration properties, listed below

 

Properties that cause the user to select a specific group/role when entering a WebOffice 10.9 SP1 project:

Parent Group

Client-ID

Extended Properties

Print Profile

Spatial Extent

Initial Extent

Map View

 

Select a group/role to access a WebOffice project

Select a group/role to access a WebOffice project

 

 

icon_comment

The choice of a specific group is not available if an user is member of different groups to which different print profiles have been assigned, but only one of these groups contains explicit information in the print profile. In this case, when entering a WebOffice 10.9 SP1 project, the group that contains the explicit information in the print profile is automatically used. Example:

 

Group A has been assigned the print profile A with a configured attribute (e.g. company logo)

Group B has been assigned the print profile B, which has NO configured attributes

-> When entering a WebOffice 10.9 SP1 project, no group selection appears. Instead, the user is logged on with group A because this group contains a print profile with explicit information.

 

The choice of a specific group is not available if an user is a member of different groups, but only one of these groups has been assigned a corresponding initial extent. In this case, when entering a WebOffice 10.9 SP1  project, the group that has been assigned the initial extent is automatically used. Example:

 

Group A has rights to Project A with a corresponding initial extent

Group B has rights to Project A without an initial extent

-> When entering a WebOffice 10.9 SP1 project, no group selection appears. Instead, the user is logged on with group A because this group has been assigned an initial extent.