Entity permissions against users

johnjin · November 13, 2019, 4:37pm

Hi,

I’ve just started to build the permission settings around Scipio and I didn’t find anything other than ‘create security group’ which only allows me to input the group name but not what this group is allowed to do.

Is there any general guidelines or tutorials about how to build the permissions around, let’s say, view/create/edit/delete each entity/page/database table.

Thank you.

madppiper · November 13, 2019, 4:54pm

Hi,

security groups are used to manage a set of individual permissions. You can define various permissions within the SecurityPermission entity:

SecurityPermission description="View operations in the Catalog Manager." permissionId="CATALOG_VIEW"/>
<SecurityPermission description="Create operations in the Catalog Manager." permissionId="CATALOG_CREATE"/>
<SecurityPermission description="Update operations in the Catalog Manager." permissionId="CATALOG_UPDATE"/>
<SecurityPermission description="Delete operations in the Catalog Manager." permissionId="CATALOG_DELETE"/>
<SecurityPermission description="ALL operations in the Catalog Manager." permissionId="CATALOG_ADMIN"/>

and then group them together in the security groups you have seen:

<SecurityGroupPermission groupId="SUPER" permissionId="CATALOG_ADMIN"/>

On each layer (screen, service, entity) there are various ways to check the permissions. To give a few examples:

in groovy:
security.hasEntityPermission("PARTYMGR", "_UPDATE", request);

in java:

Security security = ctx.getSecurity();
hasPermission = security.hasPermission(ADMIN_PERMISSION, userLogin);

in ftl
security.hasEntityPermission("PARTYMGR", "_CREATE", session)

in minilang:
<check-permission permission="CATALOG" action="_UPDATE">

in menus:
<menu name="WebSiteButtonBar" default-permission-operation="CONTENT_ADMIN"

in screens:
<condition>
<if-has-permission permission=“CATALOG” action="_VIEW"/>
</condition>

There are many more. Basically you can have very granular permissions set for each user and usually you just define a security group, give it permissions then assign users to specific security groups.