Permission Sets is the base for administrating authorities in IFS Applications. A Permission Set is a set of permissions which you can grant to users to give them the authority to perform tasks like view or update certain information. There are different types of permissions like access to Database Objects, Activities, Services or System Privileges.
Note: A Permission Set is also referred to as an FndRole.
Read more about the concept Permission Sets.
A Permission Set can be created in both the Permission Sets and the Create Permission Set form. The required information is a Permission Set ID and a Permission Set Type. The Permission Set Type can be set to End User Role if the Permission Set should be possible to grant directly to users or Functional if the Permission set should be granted to other Permission Sets only. It is recommended to also enter a useful description which tells the purpose of the Permission Set.
Revoke all Security Permissions. This is a quick way of deleting all grants on the permission set. The grants are removed once you save the permission set.
Merge Grants from other Permission Set. This opens a list where you can select another permission set. All object grants on the selected permission set will be copied to the current permission set. The result is a permission set that grants everything it did before and it also grants all objects from the select permission set.
Refresh all Security Objects. This action repopulates presentation objects, database objects, activities, system privileges and ial objects from the server. See also Handle changes to the dictionary for more details.
Refresh Security Cache. Once this action is executed IFS EE clients will re-fetch the security setup the next time the user logs on IFS. Security changes will apply on the server side once the permission set is changed but the IFS client will be aware of what is granted to the user on next logon after this cache is refreshed. The effect in the client is that it will hide windows you are not granted and disable links to functionality you are not granted. Using non granted windows or actions will generate a security exception.
Refresh Dictionary Cache. See Handle changes to the dictionary for details.
Show Users granted this. This action shows a list with all users that are directly granted the current permission set. In this list you can navigate to the User detail or the Grant Permission Set To User matrix or directly revoke the permission set from the user or grant it to additional users.
View Structure. This action opens the structure view where you can see and edit what other permission set this permission set includes and also what other permission set are granting this permission set. See Permission Set Grant Structure for more details.
Remove License connection. This action is only valid for LTU permission sets where the permission set restricts what the user may use in the system and making changes to the permission is limited. The action will disconnect the permission set from the license and make it fully editable. The action will raise an exception if current license do not allow you to perform the action. The action can always be performed if no user is granted this permission set or the granted users are not active. The connection to license is restored once a valid license file defining this permission set is applied in the License Management window. Contact your IFS representative in case license must be be updated.
A Permission Set can be exported to a file as an extra backup or to be able to import it in another installation of IFS Applications. Default export format is xml. Open the Permission Set in the Permission Set detail form and click on the link Export Permission Set. Select a folder and click OK. Permission Set exports in xml format can be imported using the Import Permission Set link in the Security Administration start page. Select one or many Permission Set export files and click OK. There is an option to select export format sql. Exports in sql format can not be imported using Import Permission Set in Solution Manager. The Permission Set can although be imported by executing the sql file directly in the database for the IFS Application installation.
If the permission set is needed to be exported for LTU license, Export for LTU License option should be used. When this option is checked, Include Presentation Objects, Include Permission Set Grant Structure and Export as XML File options will be checked and disabled as they are mandatory in exporting for LTU License.
The Permission Sets window list all permission sets. In this window it is possible to export one or many permission sets to files. Select the permission sets that should be exported and right-click and select Export Permission Sets.
Note: Permission Set with granted activity filters should be exported as xml. The granted filters will not be included if you choose to export in a sql format.
Grants and Revokes are handled in the Permission Set form. All grant and revoke operations are effective once you refresh the security cache. To revoke all grants on a Permission Set right-click in the form and select Revoke All Grants.
The Presentation Objects are shown in both Presentation Objects by Navigator or Presentation Objects by Component tab page. This is just different arrangements how to find them and also help granting or revoking on aggregated levels.
Almost all windows in IFS is represented by a Presentation Object to mange access to the window. Some windows mainly in Solution Manager or general windows like Background Jobs uses Activities instead. For a list of such windows and what activities that are used see the Feature Activity Reference list
This tab page shows the Presentation Objects arranged by a specific IFS Application Navigator. By default you will see the IFS Enterprise Explorer Navigator.
To see the Presentation Object for a navigator node select the node and the Presentation Object including all Presentation Objects it uses are shown to the right.
Navigator Nodes where the Presentation Object for the node is granted are displayed in color and nodes where the Presentation Object is revoked is displayed in grey. For granted Presentation Objects the checkbox is checked and unchecked if revoked.
To grant or revoke Presentation Objects you can right-click on a navigator node and invoke the grant or revoke operation or set/unset the checkbox of the presentation object. Granting/revoking by invoking the operations on a navigator node will grant/revoke all presentation object categorized under it, depending on the dependency type of the presentation objects. If the node has sub nodes, the Presentation Objects for these nodes will also be granted or revoked (depending on the dependency type).
Note: Dependency types 7 - Form Window (not granted by default) and 8 - Table Window (not granted by default) are not granted automatically and if needed must be granted manually. The names for these sub presentations object are written in Italic style.
To see if a Presentation Object is used in any other Presentation Objects you can just click on the Presentation Object and those will be shown in the Where Used list to the right.
To view which Database Objects a Presentation Object uses right-click the Presentation Object and select Show Database Objects. This will show the Presentation Object in Presentation Objects by Component where also Database Objects are shown.
All Permission Sets that grants a selected Presentation Object are listed if you right-click on a Presentation Object and select Show Grantees.
To get a quick preview of what is granted you can open the Navigator Preview tab to the right in the Presentation Objects by Navigator. This will show only the nodes where the presentation object is granted.
Presentation Objects by Component shows all presentation object arranged by Component. You can switch between viewing only objects that are granted or only objects that are not granted or show all objects. Right-click in form and select one of the options Show Granted / Show Not Granted / Show Not Full Granted to toggle the view mode.
To see which Presentation Objects a Presentation Object uses, just expand the node and those are displayed as sub nodes.
To see which Presentation Object that uses this Presentation Object just select the Presentation Object and those are shown in the Where Used list to the right. For granted Presentation Objects the checkbox is checked and unchecked if revoked. Fully granted Presentation Objects are displayed in black color and partially granted Presentation Objects are displayed in blue color. Fully granted means that all Database Objects that this Presentation Objects uses are granted and partially granted means that some Database Objects that this Presentation Objects uses are revoked.
You can grant or revoke all Presentation Objects for a component or expand a component and grant/revoke on any level in the tree just right-click the node and invoke grant or revoke operation. However to grant or revoke all Presentation Objects in a logical unit or a Presentation Object including all Presentation Objects below in the structure just select or deselect the checkbox on the node in the tree.
The Database Objects used by a Presentation Object are listed in the tree when expanding the Database Objects node. This node is only present if the Presentation Object uses any Database Objects. Set the checkboxes for the Database Objects you want to grant and unset the checkboxes for the Database Objects you want to revoke. To see which Presentation Objects that are using a Database Object just select the Database Object and these Presentation Objects will be shown in the Where Used list to the right. This is helpful when you work directly on the Database Objects to manage security. Note that when revoking a Presentation Object only the Database Objects which are not used by other granted Presentation Objects will be revoked. Read more about this in the Interaction between Presentation Objects and Database Objects. Methods not possible to revoke are pragma methods. The security for a pragma method is the same as its database package security. Thus you must revoke the database package in order to revoke the pragma method. This can be done in the Database Objects View.
You can open a selected Database Object in the Database Objects View to see all views within the same Logical Unit and methods in the same Package. To do that right-click on a View or a Method and select Show Database Objects View.
All Permission Sets that grants a selected Presentation Object or a Database Object are listed if you right-click on the Object and select Show Grantees. This will open a window showing the Permission Sets and you can click on a Permission Set to view the details
If you know the name or technical id you can type this or the first letters in the Find Presentation Object field. Click on Find and all Presentation Objects that matches your query are shown in the list below. Click on a Presentation Object to show it in the Presentation Object tree.
When you want to manage the security for a presentation object for more than one permission set you can use the Presentation Object Grants feature.
Database Objects are granted and revoked in the Database Objects tab. The Database Objects are arranged by Component and Logical Unit. You can switch between viewing only the objects that are granted or show all objects. Right-click in form and select Show Granted to toggle the view mode. When working with Presentation Objects you can always check which Database Objects that are granted and which are revoked.
Grant information is indicated by the checkbox and the node coloring. A Logical Unit where all Database Objects are fully granted is displayed in black color and the checkbox is checked and a Logical Unit where some Database Objects are granted and some are not the node is checked but the color is blue. If no Database Object is granted in the Logical Unit the node is unchecked and the text is grey. In the same way Database Packages where all Methods are granted is displayed in black and the checkbox is checked. If some Method is not granted the color is blue instead. Packages which are not granted are displayed in grey and the checkbox unchecked.
View and Methods are displayed in black and checkbox is checked when granted and when revoked the checkbox is unchecked and the node is displayed in grey. To grant or revoke all Database Objects in a component, right-click on the component and invoke the Grant or Revoke operation. The same procedure is valid for all nodes in the tree. However to grant or revoke all Database Objects in a Logical Unit or a Database Package or a Database View or a single Method it is easier to just check or uncheck the checkbox on the node in the tree.
The methods with a hollow diamond as a symbol are methods with unchecked access. These methods are used within views and SELECT statements. They cannot contain code that checks for method level security. Instead, the view or method, from where the call is made, should contain appropriate grants. When a method is granted, the package it belongs to also gets granted. This means that all methods within that package that have unchecked access also gets granted, since they are not checked on a method level. It also means that as long as there is something in that package granted, all these methods will be granted. The only way to not grant them is to revoke the package as a whole.
To see which Presentation Object that uses a Database Object just select the Database Object and those are shown in the Where Used list to the right. Click on the Presentation Object to show it in the Presentation Object tree in the Presentation Objects by Component tab.
All Permission Sets that grants a selected Database Object are listed if you right-click on the Database Object and select Show Grantees. This will open a window showing the Permission Sets and you can click on a Permission Set to view the details.
To find a Database Object, type the name or the first letters in the Find Database Object field. Click on Find and all Database Object that matches your query are shown in the list below. Click on a Database Object to show it in the Database Object tree.
System Privileges are granted and revoked in the System Privileges tab. Set the checkboxes for the System Privileges you want to grant and unset the checkboxes for the System Privileges you want to revoke.
All Permission Sets that grants a selected System Privilege are listed if you right-click on the System Privilege and select Show Grantees. This will open a window showing the Permission Sets and you can click on a Permission Set to view the details.
Activities are granted and revoked in the Activities tab. The Activities are arranged by Component. Set the checkboxes for the Activities you want to grant and unset the checkboxes for the Activities you want to Revoke. To grant or revoke all activities in a component, right-click the component node and invoke the grant or revoke operation. You can switch between viewing only the activities that are granted or not granted or show all activities. Right-click in form and select Show Granted / Show Not Granted to toggle this view mode. You can also show the activities without having them grouped by Component. Right-click and select Group by Component to toggle this view mode.
In order to achieve data row security filters can be added to granted activities for a permission set. The filter restricts which entity instances that can be handled by the activity. Multiple filters can be added to the same activity. Filters are defined in Permission Set Filters window.
To add a filter right click on the granted activity and select the Add Filter... menu option. This opens up the Add Filter dialog. You can search for existing filters, you will see both the filter name and which entity it applies for. Search for % to find all filters. To select a filter double click on the filter or use the OK button.
To remove a filter from an activity, right click on the filter and use the Remove Filter menu option. Note this will not remove the filter itself, only this particular use of the filter. You also have right menu options to create new and edit already granted permission set filters.
All Permission Sets that grants a selected Activity are listed if you right-click on the Activity and select Show Grantees. This will open a window showing the Permission Sets and you can click on a Permission Set to view the details.
IAL Objects are granted and revoked in the IAL Objects tab. Set the checkboxes for the IAL Objects you want to grant and unset the checkboxes for the IAL Objects you want to Revoke.
All Permission Sets that grants a selected IAL View are listed if you right-click on the IAL View and select Show Grantees. This will open a window showing the Permission Sets and you can click on a Permission Set to view the details.
A
Projection can be either granted or granted query only. Grant would allow
read and write access to the entities and operations. Grant Query will
revoke the write access to the entities and to all the Actions which are
capable of changing the data. Only read access to the entities and Functions
are granted. The Revoke option will remove all grants to a projection
from the Permission Set.
Unbound Actions can be individually granted or
revoked.
If an Entity is granted, the write access to the underlying entity (create, update and delete) is given along with its Bound Actions. Grant Query will revoke all the write access and the grants to the Bound Actions, but keep read access and access to Functions. Revoke is not possible for a single entity.
Bound Actions can be individually granted or revoked.
All Permission Sets that grants a selected Projection are listed if you right-click on the Projection and select Show Grantees. This will open a window showing the Permission Sets and you can click on a Permission Set to view the details.
The Permission Set Detail window shows different kind of security objects like Presentation Objects, Activities, Database Objects etc. If these objects are changed you may need to refresh this data. Normally these objects are not changed unless you upgrade the system. In such case the upgrade procedure will also update the Dictionary where this information is stored. However if changes are done to the logical units in the database that affect the dictionary the "Refresh Dictionary Cache" is shown in red. Run this option to refresh the security objects used when granting and revoking access to permission sets. The Permission Set Detail window also remembers (within the same session) the definition of Presentations Object like which Database Objects that is uses and what other Presentation Object it uses. This means that if a Presentation Object has been modified in the Presentation Object Detail window you may need to update the Permission Set detail window. Right-click in the window and select "Refresh Security Objects". This will refresh all the security objects loaded to the form. These objects will otherwise be refreshed after restart of Enterprise Explorer. You can also on each tab page refresh only those security objects on that tab, like "Refresh Database Objects" available on the Database Objects tab page. When "Refresh Dictionary Cache" is executed from this window the refresh of all security objects is also performed.
After doing a system upgrade it is easiest to work with Presentation Object Grants window to view which Presentation Objects that are new or modified and, if needed, do any updates to existing permissions. See also Update Permission Sets for more information.
A Permission Set which has the Permission Set Type "Functional Role" can grant the permissions to other Permission Sets. These Permission Set grants are managed from the Permission Set Grant Structure form. You can navigate to this form from the Permission Set form by clicking on the View Structure link or from the Permission Sets form by right-click on a Permission Set and select View Permission Set Structure.
Permission Sets which are added to the Granted Permission Sets list in the form are granted to this Permission Set. If any of these Permission Sets also are granted other Permission Sets you can view the complete grant structure by expanding the tree in the Structure Preview tab to the left.
Permission Sets which grants the current Permission Set are shown in the Grantees tab.
The total permissions of a Permission Set is thus the sum of permission granted directly to the Permission Set managed in the Permission Set form and all permission granted to the Permission Sets shown in the Structure Preview in this form. The total preview for a Permission Set can be viewed in the Security Summary form