Object Security framework is based on water fall model for a user to perform an action on the object in the system. That is, if the user has first level of object access type, there is no need to check the second level whereas if the user does not have the first level, then the second level is checked.
User authorization is derived by access provided to a user for different types of objects. It will be divided to two parts.
LHS Authorization (Using which link will be provided in LHS)
Summary Authorization (Before loading the Summary window, access will be validated)
To have access to object summary pages, the users should be part of the group which is mapped to Access role type in the system for a specific Infodom. Mapping between User Group-Role(s) and mapping between User groups-Infodom in the system is used to achieve this.
Note: Objects to be displayed in the Summary window for a specific user will be decided by the type of the folder to which the object belongs.
User scope is controlled by segment/ folder types with which the object is associated.
Objects contained in a Public folder will be displayed in Summary window to all users, irrespective of user group. No mapping is required. The mapping is done from the User Group Folder Role Map window.
Objects contained in a Shared folder will be displayed to users belonging to a user group which is mapped to the corresponding folder.
Objects contained in a Private folder will be displayed only to the associated owners.
For Add action, irrespective of Folder type, your user group should be mapped to the Write role.
Consumption of Higher Objects
A user can consume objects associated to Public Folders in another higher object provided the Read Only role is mapped to the user group in that folder. This mapping is done through UserGroup Role Map window. For objects in shared folders also, the Read Only role should be mapped. This mapping is done through the User Group Folder Role Map window.
For example, consider a Run definition in which a Classification Rule is used. Suppose the classification rule, say X is created in a Public folder called Y and the user belongs to user group UG. Then for the user to use X rule in the Run definition, the user group UG should have mapped to the Rule Read Only role. But if X rule is created in a Shared folder Z, the user group UG should have mapped to the folder Z and to the Rule Read Only role.
The folders displayed in the Folder Selector window launched from the Object definition window are:
All Public and Shared folders which are mapped to the user group and on which the user group has Write role. Mappings should be done for Public folders through the UserGroup Role Map window and UserGroup Domain Map window. Mappings should be done for Shared folders through User Group Folder Role Map window.
All Private folders for which you are the owner.
User Access Rights are derived by actions allowed for a user to be performed on an object. This is also controlled by the type of the folder/ segment with which the object is associated.
For an object contained in a Public folder, the actions which can be performed by the user depend on the mapping between user group and folder-infodom and mapping between user group and function- roles. This is the existing approach. For mapping a user group to domain, see UserGroup Domain Map and for mapping a user group to a role, see UserGroup Role Map.
For an object contained in a Shared folder, the actions which can be performed by the user depend on User Group Folder Role mapping, which is done from the User Group Folder Role Map window.
For an object contained in a Private folder, the user who has been assigned as the owner of the folder can do all actions except Add action.
Object Access Type derives the special functionalities which can be performed on object definitions by a user. It determines whether a user can do operations such as create, view, update, or delete for an object definition.
There are three access types which OFSAAI supports:
Read only
User who creates the object set this property at object level, which will restrict other users to perform Create/Update/Delete operations on the object. Other users can only view the object details.
Read/Write
User who creates the object set this property at object level, which will allow other users to perform Create/Read/Update/Delete operations on the object.
Lock
Object will be locked by setting a flag during maintenance.
Since single user maintenance of an object is too restrictive, an override option is provided through Phantom role type. If the user group to which the user belongs is mapped to the Phantom role type, then the user will be able to perform CRUD operations irrespective of the object access type. Both Phantom and Write roles should be mapped to the user group.
Phantom role can be applied at 2 different levels.
User Group Infodom level for Public Folder
Map the user group to infodom-folder from User Group Domain Map window and map the user group to the Phantom role for the required function from the User Group Role map window. For example, for a user to override object access type, his user group should be mapped to the folder in which the object is created and should have been mapped to the Phantom role, provided the folder in which the object is created is a Public folder. For information on how to do the mapping, see UserGroup Domain Map and UserGroup Role Map sections.
User Group Folder level for Shared Folder
Map the user group to infodom-folder and then map it to the Phantom role for the required function from the User Group Folder Role map window if the folder in which the object is created is a Shared folder. For information on how to do the mapping, see User Group Folder Role Map section.
OFSAA will standardize and seed some of the security measures as per the business needs.
OFSAA will seed six user groups with infrastructure as per business as shown in the following table:
Seeded User Group Name |
Description |
Mapped Roles |
Guest |
Users belonging to this user group have access to see the LHS link. By clicking the link, they can go to summary screen and see objects. |
Access |
Business User |
Users belonging to this user group will have access to LHS menu, Summary page and view the definition. |
Access Read Only |
Business Owner |
Users belonging to this user group will have access to LHS menu, Summary page and make crud operation on the objects. |
Access Read Only Write |
Business Authorizer |
Users belonging to this user group will have access to LHS menu, Summary page; and authorize the crud operations. |
Access Read Only Authorize |
Business Administrator |
Users belonging to this user group will have access to LHS menu, Summary page; make and authorize the crud operations; execute and export definition. |
Access Read Only Write Authorize Advanced |
Administrator |
Users belonging to this group will have full control of the system. |
Access Read Only Write Authorize Advanced Phantom |
Note the following:
The behavior is relevant for Public folders only.
For shared folders, irrespective of OFSAAI seeded user groups to which you are mapped, your user group should be mapped to the corresponding roles through the User Group Folder Role Map window to do particular actions.
For example, consider a user belongs to Business Owner user group. As per the above table, he has Access, Read Only, and Write roles mapped to him by default. That means, he is assigned the functions such as Link, Summary, View, Add, Edit, Copy, Remove and so on. For a Public folder, he can do all the mentioned functions. However for a Shared folder, he cannot do an action such as Add or Edit unless he is mapped to Write role from the User Group Folder Role Map window.
It is mandatory to do the required mapping of Roles to the folder and user group from the User Group Folder Role Map window in case of Shared folders.
OFSAA will seed seven user roles with infrastructure for each object type. All seeded roles can be described as bellow.
Seeded Role Name |
Role Type |
Mapped Functions |
Access |
Access |
Link Summary |
Read Only |
Action |
Summary View Trace Compare Publish |
Write |
Action |
Add Edit Copy Remove Lock Latest |
Authorize |
Action |
Authorize |
Advanced |
Action |
Execute Export Archive Restore Advanced |
Phantom |
Phantom |
Ignore Access Type Ignore Lock |
For Admin type of roles there will be other seeded roles from SMS module.
Action is derived as a user event which triggers a function for a specific object type. Each action and object type combination will give a function.
OFSAA will seed following actions which shall be used by different object types to define its functions.
Seeded Action Name |
Description |
LINK |
If this action is mapped to an object the resulting function will give the user access to the LHS link. |
SUMMARY |
Summary action if mapped to an object, the resulting function will give summary page access to the mapped user. |
VIEW |
View action if mapped to an object, resulting function if mapped to the user will give access to view definition page of the object. |
TRACE |
Trace action if mapped to an object, resulting function if mapped to the user will give access to trace definition page of the object. |
ADD |
Add action if mapped to an object, resulting function if mapped to the user will give access to add definition page of the object. |
EDIT |
Edit action if mapped to an object, resulting function if mapped to the user will give access to edit definition page of the object. |
COPY |
Copy action if mapped to an object, resulting function if mapped to the user will give access to Copy definition page of the object. |
REMOVE |
This action if mapped to an object, resulting function if mapped to the user will give the power to remove the object from the system. |
PURGE |
Purge action if mapped to an object, resulting function if mapped to the user will give access to purge the object data from the system. |
APPROVE |
Approve action if mapped to an object, resulting function if mapped to the user will give access to authorize an object by approving the same after any action has been performed. |
REJECT |
Approve action if mapped to an object, resulting function if mapped to the user will give access to authorize an object by rejecting the same after any action has been performed. |
EXECUTE |
Execute action if mapped to an object, resulting function if mapped to the user will give him the power to execute the object definition. |
EXPORT |
Export action if mapped to an object, resulting function if mapped to the user will give access to export definition out of the system. |
ARCHIVE |
Archive action if mapped to an object, resulting function if mapped with any user will give the access to archive a definition. |
RESTORE |
Restore action if mapped to an object, resulting function if mapped with any user will give the access to restore any archived definition. |
LOCK |
Lock action if mapped to an object, resulting function if mapped with any user will give the access to lock any definition. |
COMPARE |
Compare action if mapped to an object, resulting function if mapped with any user will give the access to compare any definition with another. |
PUBLISH |
Publish action if mapped to an object, resulting function if mapped with any user will give the access to publish any definition to MDB. |
LATEST |
LATEST action if mapped to an object, resulting function if mapped with any user will give the access to make any authorized version definition of the definition latest. |
IGNOREACCESS |
IGNORE ACCESS action if mapped to an object, resulting function if mapped with any user will give the access to all the definitions to ignore the access right given by a user. |
IGNORELOCK |
IGNORE LOCK action if mapped to an object, resulting function if mapped with any user will give the access to all the definitions to ignore the lock status given by a user. |
ADVANCED |
ADVANCED action if mapped to an object, resulting function if mapped with any user will give the access to object specific special functionality. |