Skip to main content

i4connected Knowledge Base

Effective permissions

Abstract

Check out more details about Effective permissions and what is the algorithm for determining the actual permissions of a user.

The effective permissions are the actual user permissions calculated for each node. The algorithm for calculating the effective permissions is outlined below:

algorithm_effecitve_permissions.jpg

Effective permissions architecture

These permissions are processed and stored whenever changes occur in either the role assignments, role permission settings, the hierarchical structure, or user list, hence:

  • If an area is added or deleted, all sub-areas and devices will be re-evaluated for effective permissions.

  • If a role package is added or removed from an area, all sub-areas and devices will be re-evaluated for effective permissions.

The (re)calculation of the effective permissions is performed inside the application server and runs as a dedicated security module. After recalculating a user’s effective permissions, the effective permissions database table will be replaced with the new values for that user.

Warning

When editing the roles of a user, on a specific entity, the list of Effective permissions is, by default, collapsed, in order to have a better overview of the list of roles.

Effective_permissiosn_collapsed.jpg

The list of Effective permissions is collapsed

To check the Effective permissions list, the user needs to click the respective button, to expand the view.

Effective_permissions_expanded.jpg

The list of Effective permissions is expanded

The effective permissions are calculated separately for each entity and only the relevant permissions are evaluated (Allow or Deny), as follows:

  • Sites and Areas share their effective permissions as location-related permissions, as follows:

    Site_efective_perm.jpg

    Site's and Area's effective permissions list

    • View sites and areas - Allows viewing the sites and areas along with the corresponding calculations (from measure aggregations). This can be managed for each item. Having this permission set globally will allow the user to view all sites and areas.

    • Manage sites and areas - Allows editing and deleting the site or/and the area.

    • View devices - Allows viewing the device and the corresponding calculations (from measure aggregations). This can be managed for each item. Having this permission set globally, the user is allowed to view all devices.

    • Manage devices - Allows editing and deleting devices, in the context of the site or area.

    • Read signals - Allows reading the signal value,

    • Write signals - Allows writing to the signal.

  • Organizational Units have their own effective permissions (without signal read/write), as follows:

    OU_effective_perm.jpg

    Organizational Unit's effective permissions list

    • View organizational units - Allows viewing the organizational unit and the corresponding calculations (from measure aggregations). This can be managed for each item. Having this permission set globally will allow the user to view all organizational units.

    • Manage organizational units - Allows editing and deleting the organizational units.

    • View devices - Allows viewing the device and the corresponding calculations (from measure aggregations). This can be managed for each item. Having this permission set globally, the user is allowed to view all devices.

    • Manage devices - Allows editing and deleting devices, in the context of the organizational unit.

    • Read signals - Allows reading the signal value,

    • Write signals - Allows writing to the signal.

  • Devices also have the following dedicated effective permissions:

    Devce_effective_perm.jpg

    Device's effective permissions list

    • View devices - Allows viewing the device and the corresponding calculations (from measure aggregations). This can be managed for each item. Having this permission set globally will allow the user to view all organizational units.

    • Manage devices - Allows editing and deleting the device.

    • Read signals - Allows reading the signal value,

    • Write signals - Allows writing to the signal.

  • Adapters have the following dedicated effective permissions:

    Adapters_effective_permissions.jpg
    • View adapters - Allows viewing and selecting adapters when configuring devices.

    • Manage adapters - Allows editing and deleting the adapter.

  • Signals have the following dedicated effective permissions:

    Signal_effective_perm.jpg

    Signal's effective permissions list

    • Read signals - Allows reading the signal value,

    • Write signals - Allows writing to the signal.

  • Application mappings feature the following effective permissions:

    App_mappings_effectve_permissions.jpg
    • View applications - Allows viewing applications and assigning them to entities.

    • Manage mappings - Allows editing and deleting the application mapping.

  • Reports feature the following effective permissions

    Effective_permissions.jpg
    • Manage report definitions - Allows editing and deleting the report.

    • View report definitions - Allows viewing the report.

  • Response Teams feature the following effective permissions

    RespTeams_efective_permissions.jpg
    • View response teams - Allows viewing the response team.

    • Manage response teams - Allows editing and deleting the response team.