User Roles, Authorizations and
Credentials
See also: User Authentication, Using a Logon Service
A role is a character string that represents some capability of the user, examples might be Manager, Supervisor, Auditor etc. Any number of roles can be associated with a user at signon time using a Logon Service.
You can check for the existence of a role using Javascript SecurityManager.hasRole() or the FPL hasRole() function e.g.
Javascript: |
FPL: |
if (system.securityManager.hasRole("Manager")
) { .. } |
if [ hasRole('Manager')
] .. endif |
When using Active Directory, AD groups can be used as roles. These can be retrieved from AD using Javascript services.ldap.getADGroups().
A role can also be used to control assignment of workflow tasks e.g. assign a task to anyone with the HelpDesk role. See XI Workflow Assignment Handler.
Authorizations are similar to roles but provide more granularity. Any number of authorizations can be associated with a user at signon time using a Logon Service. Each authorization contains three fields that can be checked: type, name and function.
Type |
Can be any character string, but typically is the type of authorization being checked e.g. Customer, Account, Request etc |
Name |
Can be any character string, but typically represents the explicit item to be checked e.g. customer name, account id, request id etc. When an authorization is associated with a user, the name can be provided as either: · A character string · A character string ending with a masking character (*) · A list of values each one of which can end with a masking character (*) · A range of values – these can be numeric or character values |
Function |
Can be any character string, but typically represents the action to be checked e.g. Delete, Create, Change etc |
Allow/prevent |
A boolean flag that determines whether an authorization check should be allowed or prevented. This is provided when an authorization is associated with a user. |
Audit |
An optional boolean flag that determines whether an authorization check using this authorization should be audited. This is provided when an authorization is associated with a user. |
Check whether a user has an authorization using isAuthorized() passing the type/name/function fields:
Javascript: |
FPL: |
if (system.securityManager.isAuthorized("Customer", fields.customerName.value, "Update" )) { .. } |
if [ isAuthorized('Customer',
customerName, 'Update') ] .. endif |
A credential can be any user attribute that also has a corresponding value, such as email address, department, employee no. Any number of credentials can be associated with a user during the authentication process implemented by a Logon Service, e.g. by extracting them from a user registry like Active Directory.
email=jsmith@mycorp.com
department=it
employeeno=654321
User credentials can be checked with the Javascript SecurityManager.getCredential() and SecurityManager.checkCredentialValue() methods and the the FPL getCredential() and hasCredential() functions.
API based language (Javascript): |
FPL: |
var emailAdr = system.securityManager.getCredential("email"); if (system.securityManager.checkCredentialValue("department",
"Accounts") { .. } |
email_adr = getCredential('email'); if [hasCredential('department',
'Accounts')] .. endif |
Credentials can also be used to control assignment of workflow tasks, either on their own or in combination with roles. See XI Workflow Assignment Handler.