aPriori Professional Out-of-Box (OOB) Access Control Model
When you first install aPriori Professional, no system admin, VPE admin, or super-user group, and therefore, no user in those groups, is denied the right to open and edit any data or to access and configure any associated tools. It is not that fresh installation does not include an Access Control model for these groups. Rather, it is aPriori Professional ships with an Out-of-Box (OOB) Access Control Model that includes a set of permissions that is designed to make it appear as if there is no access control for these groups.
In aPriori Professional 2019 R2, access control is extended to allow admins to grant or deny access and editing rights to tools and features in the System Admin Toolset and VPE Toolset. The OOB Access Control model is updated accordingly so that the default behavior for aPriori Pro is preserved. That is, when you first install aPriori Professional, no system admin, VPE admin, or super-user group, and therefore, no user in those groups, is denied access to the tools or features in any associated toolsets.
Note that because the OOB Access Control Model denies absolutely no permissions, it is not a good starting point for implementing a custom Access Control model.
The Root Access Control Model is a better starting point for implementing a custom Access Control Model because it includes a set of permissions that provide a “best practices” Access Control baseline model. At your request, the aPriori Services team can deploy the Root Access Control Model and add extensions to meet the specific requirements of your organization. For information on the aPriori Professional Root Access Control Model, see
In the Groups tab, in the groups list, select group directory for the group that you want to associate with a permission.
3.2. In the Search Permissions window, for Name, enter the name of the permission that you want to associate to the group and then click Find.
3.3. In the Available Permissions list, select the name of the permission that you want to associate to the group and then click OK.
As of aPriori release 2019 R2, these OOB permissions and associations are required:
• aP.VPEToolset.Open – Grants VPE toolset access to All Users.
• aP.VPEToolset.Edit – Grants VPE toolset access to VPE Admins.
• aP.SystemAdmin.OE – Grants System Administrator toolset access to System Admins.
• aP.SystemAdmin.OE.StrongGrant – Grants System Administrator toolset access to Super Users
• aP.VPEToolSet.OE.StrongGrant – Grants VPE toolset access to Super Users
Migrate or Import to the Current Release from a Release Prior to 2019 R2.
If you are migrating or exporting an access control model from a release that is earlier than 2019 R2 to the current release, you must manually add the required OOB permissions for the current release. For example, to create and associate required OOB permissions for the current release, as indicated in the table:
Required Permission Name | Resource | Actions | Grant | Deny | Associated Group | ||
|---|---|---|---|---|---|---|---|
aP.VPEToolset.Open | VPE Toolset | • Use • Open • Always | Normal | Normal | All Users | ||
aP.VPEToolset.Edit | VPE Toolset | • Use • Edit • Always | Normal | Normal | VPE Admins | ||
aP.SystemAdmin.OE | System Admin | • Use • Open • Edit • Always | Normal | Normal | System Admins | ||
aP.SystemAdmin.OE. StrongGrant | System Admin | • Use • Open • Edit • Always | Strong | Normal | Super Users | ||
aP.VPEToolSet.OE. StrongGrant | VPE Toolset | • Use • Open • Edit • Always | Strong | Normal | Super Users | ||
1. Log in as a super user
2. Open the Permissions tab. From the aPriori Professional menu bar, select Tools > System Admin Toolset > System Administrator > Permissions.
3. Create the required permissions. For each permission:
3.1. In the Permissions tab, create and configure the new permission:
3.2. Under the permissions list, select the Add, 
, button.
, button. 3.3. In the Input tab, for Permission Name enter the permission name, as indicated by the second column of the table, and then click OK.
3.4. In the Permissions tab, for:
3.4.1. Description – Reenter the name of the permission. For example, for the aP.VPEToolset.Open permission, enter aP.VPEToolset.Open for the description.
3.4.2. Resource – From the dropdown menu, select the value indicated by the Resource column of the table.
3.4.3. Action – Select the actions indicated by the Action column of the table. Then, for:
3.4.3.1. Subject – Select CONSTANT.
3.4.3.2. Property – Select true.
For every one of these required permissions, the generated rule is true.
3.4.4. Grant – Select the value that by indicated in the Grant column in the table.
3.4.5. Deny – Select the value that is indicated by the Deny column in the table.
4. To save your changes, click the publish, 
, button
, button5. Associate the new permissions to the appropriate groups, as indicated by the name of the group in the last column of the table.
5.1. In the Groups tab, in the groups list, select group directory for the group that you want to associate with a permission.
5.2. In Associated Permissions, select the Add Permissions to Group, , button.
, button.5.3. In the Search Permissions window, for Name, enter the name of the permission that you want to associate to the group and then click Find.
5.4. In the Available Permissions list, select the name of the permission that you want to associate to the group and then click OK.
Root Access Control Model for aPriori Professional
The Root Access Control Model includes a set of permissions that provide a “best practices” baseline configuration for implementing a custom Access Control Model. At your request, the aPriori Services team can deploy the Root Access Control Model and add extensions to meet the specific requirements of your organization.
Access the Root Access Control Model Permissions
Prerequisite: Before you can access the Root Access Control Model, you must import a file that you can attain from the aPriori services organization.
NOTE: if you access the Root Access Control Model in the production environment every user becomes immediately blocked. You should only access the Root Access Control Model permissions in a development system.
To access the Root Access Control Model permissions, open the Groups tab:
1. Open the System Admin Toolset. From the aPriori Professional menu bar, select Tools > System Admin Toolset.
_Access_Con.jpg)
2. Open the System Administrator. In the System Admin Toolset window, click the System Administrator, 
, button.
, button. 3. Open the Groups tab. In the System Administrator window, click Groups.
4. To see the Super Users (super_user) folder, expand the System Admins (administrators) folder.
5. To examine the Associated Permissions, Members, and Attributes for each group, select the relevant group folder.
The root model enforces these rules for members of each of these OOB groups:
• All Users have almost no permissions by design. Rather than removing a long list of permissions that you want to deny, this construct allows you to add the typically shorter list of permissions that you want to grant.
• Super Users:
o Have full access to data, VPEs, and the AC model
o Cannot be blocked by Access Control permissions that restrict access to the System Admin Toolset or to the VPE Toolset.
• System Admins have:
o Full access to end user data and to the System Admin tools
o Limited access the Access Control Model
o No access to VPEs. For VPE access, System Admins can be added to a VPE group.
• VPE Admins have:
o Full access to VPEs (CRUD and Cost Using)
o No access to end user data
o Full access to the VPE toolset.
The aPriori Professional 2019 R2 Root Access Control Model is built upon the Root Access Control Model for the prior release. Differences between the base model for the 2019 R2 and the base model for the prior release are:
• System Admins and VPE Admins are enabled with full access to their respective tools.
• A new System Admins group permission, ap.SystemAdmin.OE, enables all the UI features in the System Admin tool.
• A new VPE Admins permission, aP.VPE.Toolset.OE, which opens all the UI features in the VPE Toolset.
• Two new Super User permissions:
o aP.SystemAdmin.OE.StrongGrant
o aP.VPEToolset.OE StrongGrant
The tables show how the aPriori Professional 2019 R2 Root Access Control Model defines permissions for OOB groups.
All Users Group Permissions
Name | Action | Resource | Rule | Grant | Deny |
|---|---|---|---|---|---|
aP.Component.Create | Create | Component | true | Normal | Normal |
aP.Rollup.Create | Create | Rollup | true | Normal | Normal |
System Admins Group Permissions
Name | Action | Resource | Rule | Grant | Deny |
|---|---|---|---|---|---|
aP.Component.RUD | • Delete • Read • Update | Component | true | Normal | Normal |
aP.Group.Create | Create | Group | true | Normal | Normal |
aP.Group.UD | • Delete • Read | Group | Group.name! = ‘super_user’ | Normal | Normal |
aP.Permission.Associate. OnlyNormal | Associate | Permission | Permission. normalGrant == true | Normal | Normal |
aP.Rollup.RUD | • Delete • Read • Update | Permission | true | Normal | Normal |
ap.SystemAdmin.OE | • Open • Edit | System Admin | true | Normal | Normal |
aP.VPE.CostUsing | Cost Using | VPE | true | Normal | Normal |
aP.VPE.Read | Read | VPE | true | Normal | Normal |
VPE Admins Group Permissions
Name | Action | Resource | Rule | Grant | Deny |
|---|---|---|---|---|---|
aP.VPE.CostUsing | Cost Using | VPE | true | Normal | Normal |
aP.Rollup.Create | Create | VPE | true | Normal | Normal |
aP.VPE.Read | Read | VPE | true | Normal | Normal |
aP.VPE.UD | • Delete • Update | VPE | true | Normal | Normal |
aP.VPEToolset.OE | • Open • Edit | VPE Toolset | true | Normal | Normal |
Super User Group Permissions
Name | Action | Resource | Rule | Grant | Deny |
|---|---|---|---|---|---|
aP. Component.Create.StrongGrant | Create | Component | true | Strong | Normal |
aP. Component.RUD.StrongGrant | • Delete • Read • Update | Component | true | Strong | Normal |
aP.Group.Create.StrongGrant | Create | Component | true | Strong | Normal |
aP.Group.UD.StrongGrant | • Delete • Update | Group | true | Strong | Normal |
aP.Permission.Associate. StrongGrant | Associate | Permission | true | Strong | Normal |
aP.Group.Create.StrongGrant | Create | Permission | true | Strong | Normal |
aP.Rollup.RUD.StrongGrant | • Delete • Read • Update | Rollup | true | Strong | Normal |
aP.SystemAdmin.OE. StrongGrant | • Open • Edit | System Admin | true | Strong | Normal |
aP.VPE.CostUsing.StrongGrant | Cost Using | VPE | true | Normal | Normal |
aP.VPE.Create.StrongGrant | Create | VPE | true | Strong | Normal |
aP.VPE.RUF.StrongGrant | • Delete • Read • Update | VPE | true | Strong | Normal |
aP.VPEToolset.OE StrongGrant | • Open • Edit | VPE Toolset | true | Strong | Normal |
Configure Admin Roles Using the Root Access Control Model
This example shows how to design and create these custom admin roles:
• User Admin – User admins provision aPriori Professional users.
• VPE Currency Admin – VPE currency admins modify aPriori Professional foreign exchange rates.