reusable custom set of permissions

Hi,

In MWS its possible to define task permissions by following Navigate > Applications > Administration > System-Wide > Permissions Management and selecting Resource Type “Tasks”.
If we select one task and go to the next page it also enables us to select the user/group/role and define a custom set of permissions.
Is there a way to define a (Custom) set of permissions and re-use it?

Thx,
Bruno

I’m not sure i fully understand the question. One thing I would recommend is to review chapter 5 (Administering Tasks) of the Task Engine User Guide. There are topics of Task Access Permissions, Functional Permissions and Task Type Permissions.

After reviewing those chapters, maybe you can clarify the question a bit.
Thanks,
–mark

Hi,

I have re-read the chapter and I still don´t get it.
Suppose I have 100 task types and all of them must be set with the same custom permissions. What´s the easiest way of doing this?

thx
Bruno

Ok, i’m sure we getting closer :slight_smile:
Can you explain what a Custom permission is please?

Once i get a clear idea about what you mean than I might be able to brainstorm an approach.

ok, let’s do it step-by-step.

In order to define the permissions for task type “t1” I do the following:

1 - Go to Administration -> System Wide -> Permissions Management
2 - Select task type “t1” and click next
3 - Add role “Role1”, grant all permissions on “Tasks Management” and leave the others unchecked

Step 3 creates a Custom set of permissions (this is what SAG calls it on the documentation).

Now, let’s do it for task type “t2”:

1 - Go to Administration -> System Wide -> Permissions Management
2 - Select task type “t2” and click next
3 - Add role “Role2”, grant all permissions on “Tasks Management” and leave the others unchecked

and so on…

It just doesn’t seem the right way to set permissions.

It would be a lot easier if we could create the custom permissions, give it a name and then assign it to the role thus reusing the custom set of permissions.

hope this clears it
thx
Bruno
This is an example for Custom permissions.doc (79 KB)

Thanks for explanation. Sorry it took me so long to pick up on what you were trying to say :oops:

Let me explain what is happening under the covers to help describe why this is a tough thing to do.

Associated with each task type are a number of pre-built ‘privileges’. You can inspect this by opening up the privileges.xml at /WebContent/WEB-INF/privileges.xml. You’ll see a tree based editor that uses some folder icons, has a couple of levels deep and a bunch of leaf node privileges. If you click on the ‘Source’ tab at the bottom of the editor you can see the raw xmlImport directives that create a bunch of objects when deployed.

At deployment, there are a bunch of objects created in nested folders for each task type. Hanging off of each object will be an ACL (Access Control List).

At Runtime, when you access the Permissions Management, all the privileges associated with each Task is accessed (by recursively descending through folders) and all the ACLs are explosed for management.

So, if you’ve configured user ‘Joe’ to be able to View Task Data and View Comments, then there will be two ACEs (Access Control Entry) created. One hanging off of the View Task Data privilege object and one associated with the View Comments privilege object. Please note, both of these are associated with a specific unique Task Type. So if ‘Joe’ is supposed to interact with two task types in this example, four different ACEs would need to be created.

What i think you desire (and it is a reasonable request) is to be able to define that a particular role of user called “NormalTaskUser-Role” has access to about a dozen or so of the privilege objects within the Privilege folder structure. But not just for one task, for many tasks.

It would be a bit like grouping a bunch of child nodes from a bunch of different folders together into a virtual group that could share one ACL. You wouldn’t actually move those nodes, just have them share a single ACL.

In fact, we do have this construct. It is called Security Realms. It allows an Admin to associate N number of objects together to share one ACL regardless of where they live in the MWS taxonomy.

You can read more about Security Realms in Chapter 9 (Managing Permissions) -> Using Security Realms in the Administering My webMethods Server pdf.

I haven’t specifically attempted this technique, but i suspect that it might work for you. However, i would recommend a very tiny experiment first before proceeding too far.

Regards,
–mark

2 Likes