Data security ensures that limitations can be made on resources in the plan for users of the system running the multi-user version. Configuration of these limitations is restricted only possible for the admin users.
As a use case assume that you have a production and a service line, each having two manpower resources: P1 & P2 and S1 & S2. The service people should only be able to modify their own resources and in case of overload move operations to the production resources (i.e. production personnel is a backup option for the service area in case of capacity problems).
To achieve this a role can be created with default access as deny for all assigned and modified operations on resources. Open for modifications by adding an allow rule with assign rights on either P1, P2, or the production resource . An extra rule for modifying and assigning on either S1, S2 or the service resource should be added if they are to manipulate their own resources.
Role to manage the data security:
|Id||Name||Description||Active Directory||Default access|
Rules assigned to selected role:
|Id||Name||Type||Rule type||Rule||Applied to|
|G48||Move operations to roduction||RESOURCE||ALLOW||ASSIGN||P2,P1|
Note that the “Applied to” can be single resources or groups
Roles can be created to group rules for usage by either more users or active directory groups
- Id is just an auto-generated identifier
- Name is free to edit so that the admin user can give the role a name. If entered the name is shown instead of the id
- Description is free to edit so that the admin user can enter a description or note for their own purpose
- Active Directory should be entered if the role should be used by an active directory group
- Default access sets either all rights to ALLOW or DENY all tasks. Rules should be created to either enable or disable tasks
Rules are added to the selected role in the upper table. By default, it sets the rule type to the opposite of the default access of the role
Id is just an auto-generated identifier
Name is free to edit so that the admin user can give the rule a name. If entered the name is shown instead of the id
Type is what the rule is covering, at this moment it’s only resources
Rule type indicates if this rule is an ALLOW or DENY type
Rule is what this rule either allows or denies a user to do.
The view is default always possible
MODIFY is make modification
ASSIGN like assign operations to a resource
Note these can be combined
Applied to is what the rule applies to. It opens the resource filter dialog from which resources can be selected
This section joins the users together with roles and rules. The left table shows the normal users with an Active checkbox. If an user are to use the data security this checkbox should be marked. Active directory users are activated by adding them to the correct active directory group in the Windows user management.
Once selected, a user can get a role assigned by using the dropdown placed upper right to the user table. Additionally, rules can be added to this user by pressing Add rule.
The following parts of ROB-EX Scheduler are affected by data security
- All operations assigned to a non-editable resource are locked
- The right-click menu on non-editable operations has a limited list of options available
- The edit operation dialog is restricted to read only for non-editable operations
- Delete of operations is disabled for non-editable operations
- You cannot assign operations to resources where you do not have edit rights
- The detail panel with project, order, and operation detail is restricted
- In the order list only orders with operations that have full modify and assign rights are editable for status and delete actions
- In edit order those non-editable operations have all fields as read-only in the operations table
- In edit order change of route is only possible if the user has full modified and assign rights on all operations of the route (or the route is empty)
- In edit routes only operations that have assign to rights may be added to the route. Non-editable operations have their fields as read-only in the operations table
- We allow the creation of sub-order links between operations, as long as a user has modified permission on just one of the selected operations.