User Roles, Authorizations and Credentials

Documentation home

 

Roles 1

Authorizations 1

Credentials 2

 

See also: User Authentication, Using a Logon Service

 

Roles

A role is a character string that represents some capability of the user, examples might be Manager, Supervisor, Auditor etc.  Any number of roles can be associated with a user at signon time using a Logon Service.

 

You can check for the existence of a role using Javascript SecurityManager.hasRole() or the FPL hasRole() function e.g.

 

Javascript:

FPL:

 

if (system.securityManager.hasRole("Manager") )

{

 ..

}

 

if [ hasRole('Manager') ]

  ..

endif

 

When using Active Directory, AD groups can be used as roles. These can be retrieved from AD using Javascript services.ldap.getADGroups().

 

A role can also be used to control assignment of workflow tasks e.g. assign a task to anyone with the HelpDesk role. See XI Workflow Assignment Handler.

 

 

Authorizations

Authorizations are similar to roles but provide more granularity.  Any number of authorizations can be associated with a user at signon time using a Logon Service. Each authorization contains three fields that can be checked: type, name and function.

 

Type

Can be any character string, but typically is the type of authorization being checked e.g. Customer, Account, Request etc

Name

Can be any character string, but typically represents the explicit item to be checked e.g. customer name, account id, request id etc.

 

When an authorization is associated with a user, the name can be provided as either:

·         A character string

·         A character string ending with a masking character (*)

·         A list of values each one of which can end with a masking character (*)

·         A range of values – these can be numeric or character values

Function

Can be any character string, but typically represents the action to be checked e.g. Delete, Create, Change etc

Allow/prevent

A boolean flag that determines whether an authorization check should be allowed or prevented. This is provided when an authorization is associated with a user.

Audit

An optional boolean flag that determines whether an authorization check using this authorization should be audited. This is provided when an authorization is associated with a user.

 

 

Check whether a user has an authorization using isAuthorized() passing the type/name/function fields:

 

Javascript:

FPL:

 

if (system.securityManager.isAuthorized("Customer",

fields.customerName.value, "Update" ))

{

 ..

}

 

if [ isAuthorized('Customer', customerName, 'Update') ]

  ..

endif

 

 

 

Credentials

A credential can be any user attribute that also has a corresponding value, such as email address, department, employee no.  Any number of credentials can be associated with a user during the authentication process implemented by a Logon Service, e.g. by extracting them from a user registry like Active Directory.

 

email=jsmith@mycorp.com

department=it

employeeno=654321

 

User credentials can be checked with the Javascript SecurityManager.getCredential() and SecurityManager.checkCredentialValue() methods and the the FPL getCredential() and hasCredential() functions.

 

API based language (Javascript):

FPL:

 

var emailAdr = system.securityManager.getCredential("email");

 

if (system.securityManager.checkCredentialValue("department", "Accounts")

{

  ..

}

 

email_adr = getCredential('email');

 

if [hasCredential('department', 'Accounts')]

  ..

endif

 

 

Credentials can also be used to control assignment of workflow tasks, either on their own or in combination with roles. See XI Workflow Assignment Handler.