CMDBuild Forum

Configuration user-role permissions and configuring filters

I have one class: ClassA and 2 Roles(Groups): Role1, Role2.

users from Role1 and Role2 can work with only own objects from ClassA. This is means Role1 may create, edit, view and delete only objects, which it created before. Role2 have same permissions but for own objects.

How it configure:

1) can it works on editor attribute? 

2) if yes: how configure filter display list?

 

1) need to create domain between Roles and ClassA?

2) if yes: how configure that, when user Role1 create new object, it automatically appointment this Role1 for this object?

 

 

 

if I understand correctly your needs, you can use the “privileges on rows” (Administrator Manual, page 64), filtering the rows on some useful attribute.
CMDBuild Team

 

 

not quite so...
for filtering row on some attribute i must have this attribute, for example "Role" or "Department".
 
my questions are "am i have another way, without attribute?" & if no "how can confugure this attribute for automatically filling it when user from "Role" or "Department" create with it"
 
Previously Tecnoteca wrote:
if I understand correctly your needs, you can use the "privileges on rows" (Administrator Manual, page 64), filtering the rows on some useful attribute.
CMDBuild Team

You don't have another way, you have to use an attribute.

You can fill it automatically with a database trigger like this http://www.cmdbuild.org/forum/forum-in-english/908224516?b_start=0#561835818

CMDBuild Team

 

ok, I must use for that an attribute.

 
can I use for automatically fiiling attribute reference with group users?

for example, user "Ann" create obj ClassA which contain an attribute reference (domain ClassA - Groups of Users). This attribute for Users "Only for Read" but system for filter reference fill domain for "Finance depapartment", like at user "Ann"?
how confugure filter reference for that?
Ann is operator Group named "Finance depapartment".
We have thought a bit about your requirement and we think that the following solution will do the trick.
Set row-privileges based on a stored-procedure. The stored-procedure must have exactly the following in/out parameters:
IN "UserId" integer, IN "GroupId" integer, IN "ClassName" character varying, OUT "Number" integer 
and must return a SETOF integer.
 
The function must return the list of the Id of the cards where the value of the "User" column matches the username corresponding to the UserId (i.e. the current user). 
 
CMDBuild Team
1 Like
Thank you for solution.
It works.
 
Previously Tecnoteca wrote:
We have thought a bit about your requirement and we think that the following solution will do the trick.
Set row-privileges based on a stored-procedure. The stored-procedure must have exactly the following in/out parameters:
IN "UserId" integer, IN "GroupId" integer, IN "ClassName" character varying, OUT "Number" integer 
and must return a SETOF integer.
 
The function must return the list of the Id of the cards where the value of the "User" column matches the username corresponding to the UserId (i.e. the current user). 
 
CMDBuild Team

 

Where are these functions?

Can I use them to set user-specific rights?

Correct me if I 'm wrong but I think that CMDBuild allows by default only setting rights per user group. Thus everyone in the same group sees the same.

 

Thanks, J

 

Previously Maxim wrote:
Thank you for solution.
It works.
 
Previously Tecnoteca wrote:
We have thought a bit about your requirement and we think that the following solution will do the trick.
Set row-privileges based on a stored-procedure. The stored-procedure must have exactly the following in/out parameters:
IN "UserId" integer, IN "GroupId" integer, IN "ClassName" character varying, OUT "Number" integer 
and must return a SETOF integer.
 
The function must return the list of the Id of the cards where the value of the "User" column matches the username corresponding to the UserId (i.e. the current user). 
 
CMDBuild Team

 

 

Hi there,

is there a solution in meantime?

I’ve a class with 2 attributes (among others):

  1. responsible user (to select from employees table
  2. LoginUser (filled by trigger from user table depending on responsible user)

For a user group I have to limit the visibility of entries to those, the LoginUser is responsible for.
I have created a working standard filter, but users can disable it. So, it is not secure.
So, a function for use as filter in the groups & permissions section is needed.
I did some tries with the jsonb expression from the filter (@MY_USER), mentioned above - no success.

Can anyone help?

Thanks in advance.

M.