Grant Permissions Selectively by Using uiElementValue Properties
You can selectively provide access to tools and features in the System Admin and VPE Toolsets by configuring tab access. To configure tab access, use the uiElement and uiElementValue subjects and properties. The uiElement subject has only one possible property, name. The uiElementValue subject has several properties. Each uiElementValue property maps to a first- or second-level tab in the System Admin or VPE Toolset.
Each tool in the System Admin and VPE Toolsets contains at least one tab. Tabs contain settings that you use to configure the tools. Each tab has a name that differs from the names of all other tabs for that tool. Tabs are classified as either first- or second-level tabs. If a tool has only one first-level tab, the name of the tool and tab are identical. For example, the single, first-level Migration Import Tool tab is named Migration Import Tool and the single, first-level VPE Manager tab is named VPE Manager. For these cases, when you open the tool, the first-level tab appears.
If a tool has more than one first-level tab, when you open the tab, the first-level tabs appear in clickable a list.
A second-level tab is a tab that appears or is listed on a first-level tab. First- and second-level tab sets are said to be multi-generational. The first-level tab is referred to as a parent tab, while each second-level tab is referred to as a child tab.
For example, in the System Admin Toolset, the System Administrator tool contains a first-level tab named Groups. The Groups tab contains three second-level tabs:
• Associated Permissions
• Members
• Attributes
Each of the three second-level tabs is a child of Groups, which is their first-level parent tab.
Similarly, the Data Deployment tab is a first-level tab that you use to configure the Data Deployment tool in the VPE Admin Toolset. These second-level tabs are children of the Data Deployment tab:
• Currency
• Process Groups
• Cost Taxonomy Display Names
These tables include the uiElementValue property mappings for all the first- and second-level tabs in the System Admin and VPE Toolsets that you can control access to. Child tabs are listed in the indented cells of rows below the row that contains their parent tab.
Toolset | Tool | Tab Name | Level | uiElementValue Property |
---|
System Admin Toolset | System Administrator | LDAP connections | First | ldapConnections |
Users | First | users |
Roles | First | roles |
Licenses | First | licenseModules |
Deployments - Default | First | deploymentDefault |
Groups | First | groups |
| Associated Permissions | Second | groupPermissions |
Members | Second | groupMembers |
Attributes | Second | groupAttributes |
User Defined Attributes | First | userDefinedAttributes |
Dialog Views | First | dialogViews |
Permissions | First | permissions |
System Variables | First | systemVariables |
Composites Mapping Files | First | compositeMappingFiles |
Migration Import Tool | Migration Import Tool | First | migration |
NOTE: Granting “Open” permission for the Migration Import Tool, enables users to run the utility but does not enable users to edit the utility settings. Users can edit the utility settings only if you grant them “Edit” permission for the Migration Import Tool.
Toolset | Tool | Tab Name | Level | uiElementValue Property |
---|
VPE Toolset | VPE Manager | VPE Manager | First | vpeManager |
Cost Model Workbench | Cost Model Workbench | First | costModelEditor |
Process Group Site Variables | Process Group Site Variables | First | procesGroupSiteVariables |
Deployment Data | Deployment Data | First | deploymentData |
| Currency | Second | deploymentDataCurrency |
Process Groups | Second | deploymentDataProcessGroups |
Cost Taxonomy Display Names | Second | deploymentDataCostTaxonomyDisplayNames |
BOM Loader | BOM Loader | First | bomLoader |
NOTE: Granting “Open” permission for the BOM Loader, enables users to run the utility but does not enable users to edit the utility settings. Users can edit the utility settings only if you grant them “Edit” permission for the BOM Loader.
All the open and edit permissions that you apply for the vpeManager settings are extended to these plugins:
• Push Plant Variables to Descendants
• Add/Update Machine Field
• Add/Update Material Field
• Create New Process
• Search CSL
To access the plugins, in the VPE Toolset menu bar, click Tools.
Grant Admin Permissions to Only Users in a Certain Group
This example shows how you can grant administration permissions to only the users in a certain group by using uiElementValue properties. To enable open and edit rights to the System Admin Toolset for managing users only, the example applies the users uiElementValue property:
1. Open the Permissions tab. From the aPriori Professional menu bar, select Tools > System Admin Toolset > System Administrator > Permissions.
2. In the Permissions tab, create and configure the new permission:
2.1. Under the permissions list, select the Add,
, button.
2.2. In the Input tab, for Permission Name enter YC.SystemAdmin.Users.OE and then click OK.
2.3. In the Permissions tab, for:
2.3.1. Description – Enter Allow configured admins rights to the manage users.
2.3.2. Resource – From the dropdown menu, select System Admin.
2.3.3. Action – Select Use, Open, Edit, and When this rule is true. For:
2.3.3.1. Subject – Select uiElement.
2.3.3.2. Property – name is the only option.
2.3.3.3. Operator – Select ==.
2.3.3.4. Subject – Select uiElementValue.
2.3.3.5. Property – Select users.
For this configuration, the generated rule is uiElement.name==uiElementValue.users
2.3.4. Grant – Select Normal: Actions are permitted unless blocked by a Strong Deny permission.
2.3.5. Deny – Select Normal: Actions are blocked unless permitted by another permission.
3. To save your changes, click the publish, , button.