Example Configuration

Assume that you already have groups configured for your users based on a region model, and you now wish to configure your administrators. Here is the existing user group configuration:

You should probably configure your administrator groups to reflect your user groups:

In this example, three region-based administrator groups have been created to reflect the three region-based user groups. The Super-Users group is created automatically by aPriori. Each of the region-based groups has an attribute called "Region" which is set to the same value used in the user groups (for example, "USA", "China", etc.). The Super-Users group's "Region" attribute is set to "Global".

Note: In an actual installation, you would also need to create VPE administrator groups. These might or might not also mirror the region-based groups, depending on the requirements for VPE creation, update, and delete.

Permissions for the different groups

All Users – By default, aPriori sets READ access to all Groups and all Permissions for all users:

• READ Permission true, Strong Grant

• READ Group true, Strong Grant

This is hard-coded and aPriori does not allow the creation of READ permissions on Groups and Permissions.

Super Users – By default the Super-Users group has the following permissions related to groups and permissions:

• aP.Group.Create.StrongGrant: CREATE Groups

• aP.Group.UD.StrongGrant: UPDATE and DELETE Groups

• aP.Permission.Associate.StrongGrant: ASSOCIATE Permissions ("Associate" means "Add Permission to Group")

• aP.Permission.Create.StrongGrant: CREATE Permissions

• aP.Permission.UD.StrongGrant: UPDATE and DELETE Permissions

Note that Super-Users should always have strongGrant permissions on all resource types, for all actions.

Administrators – In this scenario, members of the top-level Administrators group have the following permissions:

 CREATE, UPDATE, DELETE Permission, false (these are not denied, they are simply not explicitly granted)

 ASSOCIATE ("Add to Group") Permission, If permission.strongGrant == false (or permission.normalgrant == true)

Note: Non-Super User Administrators cannot associate "Strong Grant" permissions (or, put another way, they can only associate "Normal Grant" permissions.)

USA-Admins, UK-Admins, China-Admins – The regional administrators would have the following permissions:

UPDATE Groups [Normal Deny], currentGroup.attributeValues.region = Group.attributeValues.region

This rule ensures that admins can only update groups that are in their region – for example, Associate permissions to groups in their region.