User Authorization¶
When an user attempts to access data, the process of authorization takes place. Authorization is to determine if a user is allowed to perform a certain action on the selected data. If the operation is not authorized (allowed), it is rejected.
Authorization can be broken down into data authorization and functional authorization. Functional authorization is about determining the operations, the procedures and functions, that a certain user is allowed to use. Data authorization is about determining on which data the user has permission to operate.
Platform Authorization¶
Platform supports authorization on Projections, Projection Actions, Database tasks, Lobbies, Workflows, Quick Reports.
All authorization is made from within the server business logic and is independent of the client used. Because security is implemented in the servers it is never possible to bypass authorization by using a maliciously modified client or utilities.
Role based authorization¶
Authorization is implemented using a role concept. Instead of giving every user the rights to run a certain part of the application you create roles and assign various rights to the different roles. If the user changes jobs within an organization then it is relatively easy to just remove the current roles and give the individual new roles to reflect the individual's new responsibilities.
Roles may be granted other roles. This makes it possible to create user-roles from functional roles. As an example, you may create roles for entering machine data, perform daily time reporting, and request machine overhaul. If a machine operator is supposed to have all these rights, create the role Machine_Operator, grant the functional roles to Machine_Operatorand only assign role Machine_Operator to machine operators.
Authorization on Projections¶
A Projection is a self-contained API which completely implements a defined business function. It may serve either a single or many business activities. It is a union of data views (Entities, Queries, Entity sets, etc.) and Operations (Functions and Actions) required for executing those tasks. IFS Cloud Web client uses Projections.
A Projection can only be read-authorized as a single unit. Projections can be write-authorized on individual action level (Create, Update, Delete on Entities and Custom Actions).
Security authorization is performed at the Projection level.
Authorization in the Applications¶
Application specific authorization is performed in all application modules. In some cases, i.e. HR module, this is very elaborate. In other cases, i.e. maintenance, the process is very simple. In most cases the authorization in the applications is concerned with data authorization.
Data protection is facilitated through the usage of database views. Each role gives access to certain sets of data and when data is accessed it is automatically filtered. The exact implementation of these features varies between the different modules.