Create custom permission group to see a subset of system roles on Angular web portal

Hello everyone,

how can I set up a custom permission group for a user in order to see a subset of system roles?

The user should see, apart from default sections, the Data Administrator > Data Explorer section. In it, in the System Roles tab, he should see only some selected system roles (on a query basis). How is it possible?

Thank you,
Lucrezia

Parents Reply Children
  • How do you suggest of setting up this query in order to have 2 roles: first role can view one set of ESets, second role can view another set of ESets?

    In addition: how can I manage CRUD permissions with it?

    Lucrezia 

  • I'm not sure I understand your use-case exactly, because OOTB everyone can view the ESet's based on the V_4_ALLUSER_LOOKUP.
    So you should not need extra permissions (groups) for that.

    The API config option VI_Roles_Responsibility_ESet is used to filter out the ESet's you can already see based on your DB level permissions.

    If you put in 1 = 1 nothing will be filtered.

    Or you could extend the query so only users in a specific AERole can see the ESet's

    OR EXISTS (
    SELECT 1
    FROM PersonInAErole
    WHERE UID_AERole = 'UID...'
    AND UID_Person = '%useruid%'
    )

    Or you can combine this with some attribute of the ESET by which you can group them.

    OR (EXISTS (
    SELECT 1
    FROM PersonInAErole
    WHERE UID_AERole = 'UID...'
    AND UID_Person = '%useruid%'
    ) AND Ident_ESet LIKE 'TEST%')

    Or you can extend the schema of the ESET so you can assign an AERole
    so you can show the ESet's by AERole group membership

    OR (
    CCC_UID_AERole IN (
    SELECT UID_AERole
    FROM PersonInAERole
    WHERE UID_person = '%useruid%'
    ))

  • Hello Niels,

    ok got it. But it is impossible to handle CRUD permissions. 

    Let's say that my user have to view ONLY system role A and system role B, but with write permission on A and read-only permissions on B. This is impossible as far as I understood your comment.

    Lucrezia

  • You get view permissions (aka read-only) via VI_4_ALLUSER_LOOKUP. And for the edit-permissions you change the responsibility query as proposed by Niels.
    You can even go for new permission groups where you can define your CRUD options on the object or property level as you please.