Function Authorization

Function Authorization

Function authorization is about two different things. First and foremost it is about associating users and/or user groups to tasks and/or task groups. The function authorization task is also used for administrating Realms. Different users/user groups get authorization to different tasks in the context of a specific realm.

Selecting the function authorization task will take you to the function authorization main portlet as below.

Figure 167 Function authorization main portlet

Right clicking in the function authorization main portlet will give you all possible function authorization administration actions; create, update, copy, delete, view and authorization.

Figure 168 Possible function authorization administration actions

Table 111 Function authorization main portlet fields

Table 112 Function authorization main portlet button options

Work with Realms

Figure 168 above describes a number of different function authorization administration actions. Create, update, copy, delete and view are all actions that deals with the administration of Realms.

A realm is a global logical entity (context). It is in the context of a specific realm that authorization rights are defined. A realm can for example be “Test” while another realm might be “Prod”, reflecting different schemas in a database (there are many possible scenarios working with realms).

All Realms created here must also be defined in model time (sitedef.xml).

We will not further comment the concept, or workings, of the realm in this manual.

Create a Realm

To create a Realm right click in the function authorization portlet and choose Create as below

Figure 169 Right click – Create Realm

The create right click will take you to the create realm view.

Figure 170 Create realm portlet details

Table 113 Create realm fields

Table 114 Create realm button options

Update a Realm

To update a Realm right click in the function authorization portlet and choose Update as below.

Figure 171 Right click – Update realm

The update right click will take you to the update realm view.

Figure 172 Update realm portlet details

Table 115 Update realm fields

Table 116 Update realm possible button options

Copy a Realm

To copy a Realm right click in the function authorization portlet and choose Copy as below.

Figure 173 Right click – Copy realm

The copy right click will take you to the copy realm view.

Figure 174 Copy realm portlet details

Table 117 Copy realm fields

Table 118 Copy realm possible button options

Delete a Realm

To delete a Realm right click in the function authorization portlet and choose Delete as below.

Figure 175 Right click – Delete realm

The delete right click will take you to the delete realm view.

Figure 176 Delete realm portlet details

Table 119 Delete realm possible button options

View a Realm

To view a Realm right click in the function authorization portlet and choose View as below.

Figure 177 Right click – View realm

The view right click will take you to the view realm portlet.

Figure 178 View realm portlet

Table 120 View realm possible button options

Work with Authorization

In Authorization you associate users and/or user groups to tasks and/or task groups. This authorization is granted in the context of a specific realm.

Choose the realm in which you want to define the user authorization. In the picture below authorization will be set up in the context of the “Test” realm. Access type “0 – No access” means that the default authorization setting is “no access rights”.

1 - Full Access means that the default authorization configuration is set to be “full rights”. This setting has to be explicitly overridden on task/task group level for a user/user group to be denied any authorization, else all users have the right to start all tasks and no further configuration is needed.

0 - No Access means that the default authorization configuration is set to be “no rights at all”. This setting has to be overridden on task/task group level for a user/user group to be granted any authorization.

Figure 179 Choosing authorization configuration in the context of the “TEST” realm.

Configuring authorization

After having chosen a realm context in which to define the authorization you will see the view as in Figure 180 (of course depending of which user groups that are created).

Figure 180 Authorization view

Table 121 Function authorization button options

There are four different tabs in the authorization view; User, User Group, Task and Task Group. This of course indicates that authorization can be configured in a number of different ways as specified below:

Selecting the User tab you can choose a specific user and associate that user to a specific task and/or task group.

Selecting the User group tab you can choose a specific user group and associate that user group to a specific task and/or task group.

Selecting the Task tab you can choose a specific task and associate that task to a specific user and/or user group.

Selecting the Task group tab you can choose a specific task group and associate that task group to a specific user and/or user group.

There are differences between defining authorization via the user/user group tabs and the task/task group tabs. Because of that there will be two examples; first associating a single user to a single task from the user tab (chapter 4.5.4 ), and second, associating a single user to a single task from the task tab (chapter 4.5.5).

Function authorization – By example (using the user tab)

Best practices when defining authorization is described in chapter 4.10. This scenario is about associating a single user to a single task which is not best practices but instead perhaps the best way to exemplify (to easiest grasp) authorization settings on task level.

This chapter should serve as an example when setting authorization using either the user or the user group tabs as entry point!

To define authorization then first choose which realm to work with as described in chapter 4.5.3.

Choose the User tab as in Figure 181 below (you could also have chosen the Task tab but that works a bit differently and will be exemplified in chapter 4.5.5).

Figure 181 Using the user tab to configure authorization

This operation will take you to a detailed list of all users with the possible right click actions; Update, View and User group (see below):

Figure 182 Function authorization right click possibilities (user tab)

Update right click will let you associate the user to tasks and/or task groups. A row click on a specific user will give you the same functionality.

View right click will give you the same view as the Update operation but without the update possibility i.e. a pure view mode without the possibility to edit anything.

User Group right click will show you to which user groups the user is associated (in a sametime portlet).

In this example we will use the update option as in Figure 183.

Figure 183 Right click Update – To associate a user to tasks and/or task groups (via user tab)

To set authorization for a specific task then choose “Task” as in Figure 184 below.

Figure 184 Task tab – To set authorization rights for a single task

You will now be presented with a list of all available tasks.

Choose the task to which you want to set authorization rights for by checking the check box. Set the access type in the drop down menu. In Figure 185 the user “MyUser” is granted fill access rights to the task “Settings”.

Figure 185 Granting full access rights to the ”Settings” task for the user “MyUser”

0 No Access – The user will not be able to see or perform the task

1 – Limited Access – The user will be able to see and perform the task but only have access to actions that do not have Authorization Required

2 – Full Access – The user will be able to see and perform the task and have access to all actions, including those which have Authorization Required.

Note: Authorization Required is controlled on each Action in the Workflow,  see figure below:

Click the update button to commit the changes.

We have now given the user “MyUser” full access rights to the task “Settings”!

Above we have exemplified how to set authorization rights for a single user to a single task using the user tab. In the same way you can set authorization rules for a specific user to a task group. You can also use the same method for setting user group rights to either a task or a task group.

There is of course also the possibility to choose a task or a task group and associate a user and/or user group to that task/task group. This is done in a slightly different way and will be exemplified below. In Figure 181 you can see the four different entry tabs for defining authorization.

Table 122 Access type view button options

Function authorization – By example (using the task tab)

In chapter 4.5.4 authorization was set by associating a single user to a single task with the user tab as entry point. In this chapter we will see yet another example of associating a single user to a single task but this time with the task tab as entry point (the method slightly differs).

This chapter should serve as an example when setting authorization using either the task or the task group tabs as entry point!

To define authorization then first choose which realm to work with as described in chapter 4.5.3.

Choose the Task tab as in Figure 186 below (you could also have chosen the User tab but that works a bit differently and is exemplified in chapter 4.5.4).

Figure 186 Using the task tab to configure authorization

This operation will take you to a detailed list of all tasks with the possible right click actions; Update and View (see below):

Figure 187 Function authorization right click possibilities (task tab)

Update right click will let you associate the task to a user and/or user groups. A row click on a specific task will give you the same functionality.

View right click will give you the same view as the Update operation but without the update possibility i.e. a pure view mode without the possibility to edit anything.

In this example we will use the update option as in Figure 188. Here we will use the “MyItems” task.

Figure 188 Right click Update – To associate a task to users and/or user groups (via task tab)

To set authorization for a specific task then choose “Task” as in Figure 189 below:

Figure 189 User tab – To set authorization rights for a single user

You will now be presented with a list of all users that has authorization settings for the “MyItems” task defined. In this example no authorization settings have been defined for the “MyItems” task, hence the list is empty as in Figure 190 below.

Figure 190 List of users with MyItems task authorization settings (here empty)

To define authorization setting for the “MyItems” task on user level the right click and choose create as below:

Figure 191 Right click Create – To associate a user to a selected task

This will take you to the create view:

Figure 192 Choose user to associate to the task view

Lookup the User field (F4) and choose the desired user.

Choose the desired access type.

0 No Access – The user will not be able to see or perform the task

1 – Limited Access – Not yet implemented!

2 – Full Access – The user will be able to see and perform the task

Click the create button.

In Figure 193 the user “MyUser” is granted full access rights to the task “MyItems”.

Figure 193 User (MyUser) granted authorization (Full access) to a specific task (MyItems)