Adding
a New Role
Add a new
role to an existing security profile when none of the existing roles meet the
requirements. For example, when a new role is required to meet specific
requirements:
- Role:
Auditor
- Document:
Internal deliverable document
- Permission:
Read at different states of the internal document lifecycle
- Action:
view_history
at particular state of that lifecycle
To add a role:
- Go to the security_profiles/profile element in the RCF whose name
attribute applies to the new role.
- Under the profile element go to the roles element and copy any role tag and paste it at the end of the roles
element:
3.
<role
Name="controllers"
4.
is_hidden="false"
5.
attribute="eif_roles_doc.controllers"
6.
label="Controllers"
7.
description="Users responsible for
managing the document.">
8.
<init_members>
9.
<member>$SESSION_USER</member>
10.
<member>$P(project_controllers_group_sec_profile_expr)</member>
11.
<member>admingroup</member>
12.
</init_members>
13.
</role>
- Set the name attribute to the name of the new role.
- Set the is_hidden attribute to true or false based on if the role
displays in the Membership tab in EPFM.
- Set attribute to the object type’s or aspects’ attribute name, which
stores the users or groups designated for this role. If using aspect
attributes, use the syntax: aspectName.attributeName.
Note: For example, if it is a new role,
you can add a new attribute with these options or use an existing attribute:
·
Add attribute to an existing aspect.
·
Create an aspect with the new
attribute.
·
Use any custom attribute on the
document or folder object on which this profile is going to be used.
Refer to
the “Composer Guide” for details on adding attributes to aspects.
- Set the label and description as required.
- Populate the init_members element with as many member elements as required. When an object using this
profile is created, the members of this role are going to be resolved
based on these init_members. The value in member tag could be any of the following:
- User name
- Group name
- EPFM Expression or RCF global param
- Once a role is added, define the permissions for that
role in each state of the lifecycle. Use the role_permissions/role
tag under respective state element of profile element. For example:
20.
<states>
21.
<state name="Placeholder">
22.
<role_permissions>
23.
<role
name="controllers">
24.
<permissions>
25.
<access_permit>DELETE</access_permit>
26.
<extended_permits>CHANGE_STATE,CHANGE_PERMIT,CHANGE_LOCATION</extended_permits>
27.
<permitted_actions>
28.
<action
name="change_membership" />
29.
<action
name="view_history" />
30.
<action
name="view_comments" />
31.
<action
name="add_comments" />
32.
<action
name="relate_to_document" />
33.
<action
name="ap_attach" />
34.
<action
name="dm_apply" />
35.
<action
name="edit_progress" />
36.
<action
name="view_progress" />
37.
</permitted
actions>
38.
</permissions>
</role>
Note: Each state also has a default_permissions tag defined which is used to specify the permissions of a
role for which a specific role_permissions is not defined. For example:
<state>
...
<default_permissions>
<access_permit>RELATE</access_permit>
<extended_permits/>
<permitted_actions>
<action
name="view_progress"/>
<permitted_actions>
</default_permissions>
...
</state>
- Copy any existing role tag and paste it at the end of respective role_permissions
tag.
- Set the required access_permit based on the access permissions.
- Set the required extended_permit based on the extended permissions.
- Set the required permitted_actions based on available actions.
- To allow users of this role to perform required
operations defined in this state, go to the respective operation
tag definition in the operations_registry element of the RCF. Add this role to the roles
attribute of the operation tag. For example:
44.
<operation_registry>
45.
<operation_name="library_export"
46.
type="generic_dynamic"
47.
label="Library
export"
48.
roles="controllers,administrators"
help_tip="Export the
contents, renditions, and attribute values..."
No comments:
Post a Comment