Presentation is loading. Please wait.

Presentation is loading. Please wait.

KS Authorization Weixia (Bonnie) Huang Feb 19, 2013.

Published byTayler Kerby Modified over 9 years ago

Similar presentations

Presentation on theme: "KS Authorization Weixia (Bonnie) Huang Feb 19, 2013."— Presentation transcript:

1 KS Authorization Weixia (Bonnie) Huang Feb 19, 2013

2 KIM Basic Concepts Namespace -- for us, it’s KS-ENR Role Permissions with Permission Details Add Permissions to Role(s) Add User(s)/Principal(s) as the member of a Role TODO: list links of reference RICE documentation

3 Permission Templates Open View & Edit View View Group & Edit Group View Field & Edit Field View Widget & Edit Widget Perform Action

4 Basic Permissions Open View Permission Edit View Permission

5 Can Access vs. No Permission to Access User Story: User A can access Manage CO pages while others can’t. Identify role: Role A Create permission(s): open view (and edit view permission) with permission details: viewId=xxx Assign permission(s) to the role Add user A as a member of Role A As CO System Administrator, I need the system to restrict certain users from accessing any Manage Course Offering pages in order to maintain information security and quality. https://wiki.kuali.org/display/STUDENT/How+to+set+up+the+basic+authorization+ for+a+standard+form+view+--+KSENROLL-3753 https://wiki.kuali.org/display/STUDENT/How+to+set+up+the+basic+authorization+ for+a+standard+form+view+--+KSENROLL-3753 Open View Permission Persons belong to Role A can access the view Persons not belong to Role A can’t access the view

6 ViewOnly/ReadOnly Access vs. Full /Editable Access User Story: user A is able to successfully perform an action (Create, Modify, Delete) on Manage CO pages while user B can only view the list of COs and AOs but can NOT perform that same action. Identify roles: Role A and Role B Identify permissions assigned to each role: – Role A has open view permission only – Role B has open view and edit view permission Assign user A to role A and assign user B to role B Edit View Permission Open View Permission Persons not belong to Role A and Role B can’t access the view Role A has open view permission but no edit view permission, therefore get ReadOnly view Role B has open view and edit view permissions, therefore get editable view (full access)

7 Basic Authorization Open View Permission Persons belong to Role A can access the view Persons not belong to Role A can’t access the view Q2: Does a person in Role A get ReadOnly view or editable view? Edit View Permission Open View Permission Persons not belong to Role A and Role B can’t access the view Role A has open view Permission but no edit View permission, therefore get ReadOnly view Role B has open view and edit view permissions, therefore get editable view (full access)

8 Role and Role Qualification User Story: A user is able to successfully perform an action (Create, Modify, Delete) on a course associated with their assigned administering org. That same user is NOT successful in performing that same action on a course from another administering org different from the one assigned. https://wiki.kuali.org/display/STUDENT/How+to+set+up+a+complex+authorizatio n+based+on+Admin+Org+role+qualification+--+KSENROLL-3755 Identify roles: – KS Department Schedule Coordinator - Org role – KS Department Schedule Coordinator - Org View Only role Identify permissions assigned to each role: – KS Department Schedule Coordinator - Org role has Open View and Edit View permission – KS Department Schedule Coordinator - Org View Only role has Open View permission Assign Carol to both roles

9 Role and Role Qualification (cont.) Different Role Types Role Qualification KS Department Schedule Coordinator - Org role KS Department Schedule Coordinator - Org View Only role

10 Permissions Comparison KS Department Schedule Coordinator - Org role KS Department Schedule Coordinator - Org View Only role

11 KRAD Layers View, Page, Section, Field…

12 KRAD Layers and Permission Template Layers View Page Section Field Action Widget Open View & Edit View KRAD LayersPermission Template Layers View Group & Edit Group View Field & Edit Field Perform Action View Widget & Edit Widget

13 Section 1 Section 3 Section 4 Section 5 Section 2 Set up Component level permissions Role A has full access to the whole page except for section 2. He only has view- only access for section 2 while Role B has full access to the whole page including section 2 Base setup on view level: Assign Open View and Edit View permissions to Role A and Role B Overlay component level permission: Assign View Group permission for Section 2 to Role A. Assign View Group and Edit Group permissions for Section 2 to Role B. Section 1 Section 3 Section 4 Section 5 Section 2 Role A Role B

14 Example: Seat Pool section turns to readOnly while other sections are still editable

15 Section 1 Section 3 Section 4 Section 5 Section 2 Set up Component Level Permissions – Flip the coin Role A has view-only access to the whole page except that he can modify the section 2 (while Role B has full access to the whole page including section 2 while Role C has view-only access to the whole page.) Section 1 Section 2 Section 3 Section 4 Section 5 Section 1 Section 3 Section 4 Section 5 Section 2 Role A Role B Role C

16 Section 1 Section 3 Section 4 Section 5 Section 2 Section 1 Section 3 Section 4 Section 5 Section 2 Set up Component Level Permissions – Flip the coin Option 1: Base setup on view level: Assign Open View permission to Role A and Role C Assign Open View and Edit View permissions to Role B Overlay component level permission: Assign View Group and Edit Group permissions for Section 2 to Role A and Role B. Assign View Group permission for Section 2 to Role C Section 1 Section 2 Section 3 Section 4 Section 5 Role A Role B Role C

17 Section 1 Section 3 Section 4 Section 5 Section 2 Section 1 Section 3 Section 4 Section 5 Section 2 Set up Component Level Permissions – Flip the coin Option 2: Base setup on view level: Assign Open View and Edit View permissions to Role A and Role B Assign Open View permission to Role C Overlay component level permission: Assign View Group permissions for Section 1, 3, 4,5 to Role A. Assign View Group and Edit Group permissions for Section 1,3,4,5 to Role B. Assign View Group permissions for Section 1,3,4,5 to Role C Section 1 Section 2 Section 3 Section 4 Section 5 Role A Role B Role C

18 Section 1 Section 3 Section 4 Section 5 Section 2 Set up Component Level Permissions -- one more tweak Option 1: Base setup on view level: Assign Open View and Edit View permissions to Role A and Role B Overlay component level permission: Assign View Group permissions for Section 1, 3, 4,5 to Role A. Assign View Group and Edit Group permissions for Section 1,3,4,5 to Role B. Option 2: Base setup on view level: Assign Open View permission to Role A Assign Open View and Edit View permissions to Role B If Section 2 is always editable for all roles  NO permission checking needed for section 2  set p:readOnly=“false” for all elements in section 2 in view xml file Section 1 Section 2 Section 3 Section 4 Section 5 Role A Role B

19 Search Criteria Section – Override Permission Checking …. ….

20 Be Careful to Use p:readOnly="@{a parameter }" Example: Authz setup is overriden by the feature to display crossListed CO https://jira.kuali.org/browse/KSENROLL-5389 TODO: – find a good solution to move away to use p:readOnly for business rule/logic in general. – Or suggest Rice team to make some improvement for the current design and implementation on View Only?

21 How KRAD Interpreted View Only permission View only permission means open view or view xxx authorization checking returns true but edit view or edit xxx authorization checking returns false. For View only permission, by default KRAD – sets p:readOnly=“true” for all input fields. – In collection table: automatically hide Actions column (set p:render=“false”??). According to Jerry, the checkbox column if any should be hidden by default, but right now it does not – need to report a bug to rice team – No change on buttons and action links

22 Default Rendering by KRAD for View Only permission

23 Desired Rendering for View Only permission

24 Realize KRAD Limitation Require permissions setup KRAD Limitation Section 1 Section 2 Section 3 Section 4 Section 5 Action Links Buttons

25 Deal with KRAD Limitation See https://wiki.kuali.org/display/STUDENT/How+to+disable+buttons%2C+action +links+and+input+fields+when+a+user+only+has+view- only+permission+but+not+edit+permission+on+the+view+level for details https://wiki.kuali.org/display/STUDENT/How+to+disable+buttons%2C+action +links+and+input+fields+when+a+user+only+has+view- only+permission+but+not+edit+permission+on+the+view+level Action Links Buttons Option 1: Open View permission for Role A Open and Edit View permission for Role B Perform Action permissions for buttons and action links for Role B Option 2 (recommended approach): Annotate view xml based on permission checking result. Action Links Buttons Role A

26 More… Permission Type Service Extension Permission Template Extension Support Expression Evaluation Authorizer extension Role Type Service Extension  OrganizationHierarchyRoleTypeService QualifierResolver Extension  OrganizationQualifierResolver

27 More… Maintenance View/Document permission setup – If no component level (Group, Field, Action) permission needs to be setup, create open document and edit document permissions and assign them to the proper role would work. – Otherwise, have to setup both document based permission as well as view based permissions for a maintenance eDoc See – How to set up the document based authorization for a maintenance eDoc How to set up the document based authorization for a maintenance eDoc – How to set up the view based authorization for a maintenance eDoc How to set up the view based authorization for a maintenance eDoc

Download ppt "KS Authorization Weixia (Bonnie) Huang Feb 19, 2013."

Similar presentations

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Support.ebsco.com EBSCOhost Collection Manager Selector Account Functions Tutorial.

Support.ebsco.com EBSCOhost Collection Manager Selector Account Functions Tutorial.
SharePoint Forms All you ever wanted to know about forms but were afraid to ask.

SharePoint Forms All you ever wanted to know about forms but were afraid to ask.
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:

Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
Delegated Admin Tool Edit User Profile Training Module.

Delegated Admin Tool Edit User Profile Training Module.
SP Business Suite Deployment Kick-off

SP Business Suite Deployment Kick-off
Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.

Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.
Tutorial EBSCOadmin User Groups support.ebsco.com.

Tutorial EBSCOadmin User Groups support.ebsco.com.
SESSION TWO SECURITY AND GROUP PERMISSIONS Security and Group Permissions.

SESSION TWO SECURITY AND GROUP PERMISSIONS Security and Group Permissions.
Chapter 12 Creating and Using Templates. If you have already created and designed a page you like, you can use the layout and design for other pages in.

Chapter 12 Creating and Using Templates. If you have already created and designed a page you like, you can use the layout and design for other pages in.
Word Lesson 8 Increasing Efficiency Using Word

Word Lesson 8 Increasing Efficiency Using Word
SharePoint 2010 Permissions Keith Tuomi. profile KEITH TUOMI SharePoint Consultant / Developer at itgroove Developing Online Systems since 1991 10 years.

SharePoint 2010 Permissions Keith Tuomi. profile KEITH TUOMI SharePoint Consultant / Developer at itgroove Developing Online Systems since years.
Better Maintenance of the Schedule of Classes Through Customization and Security.

Better Maintenance of the Schedule of Classes Through Customization and Security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
EmpowHR EmpowHR Security Overview. 2 Application Security Administration Permission List Roles User Profiles Row level security Distributed Security Administration.

EmpowHR EmpowHR Security Overview. 2 Application Security Administration Permission List Roles User Profiles Row level security Distributed Security Administration.
Agenda 22 7.SharePoint Changes 8.Items & Lists 9.Files & Libraries 10.SharePoint & Office 11.Help 12.Wrap Up.

Agenda 22 7.SharePoint Changes 8.Items & Lists 9.Files & Libraries 10.SharePoint & Office 11.Help 12.Wrap Up.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
SYSTEM ADMINISTRATION OVERVIEW. About the Role Most important role on NHS Jobs with highest level of permissions Responsible for managing key aspects.

SYSTEM ADMINISTRATION OVERVIEW. About the Role Most important role on NHS Jobs with highest level of permissions Responsible for managing key aspects.
AxiUm 5.10 Security Roles and Levels Tim Ericson, Sr. Systems Analyst, Willamette Dental.

AxiUm 5.10 Security Roles and Levels Tim Ericson, Sr. Systems Analyst, Willamette Dental.
Protect your data with Security John Ykema, Director of Sales & Marketing.

Protect your data with Security John Ykema, Director of Sales & Marketing.

Similar presentations

Ads by Google