Permissions in viflow
Applies to: viflow (subscription | 9 | 8) | Article: 1342748 | Updated on 17.06.2024
Permissions were introduced in viflow for the first time with viflow 8. These authorizations can be used for the modelers in viflow and the users of the WebModel.
Article for IT professionals/administrators
This function is intended exclusively for administrators who are familiar with assigning authorizations (e.g. from Windows Server).
Basic information about permissions in viflow
It is not necessary to work with authorizations. If no authorizations are actively assigned, modeling can be carried out without any restrictions - the WebModel can also be used normally.
If you decide to use the rights, it is important to develop a concept: what really makes sense and/or what needs to be restricted? One should not "overorganize" oneself here, otherwise there is a risk of a loss of control and dealing with the process model will be unnecessarily complicated.
The Everyone group is stored by default. Every existing and newly added user as well as every added group is automatically included in this group. In this way, rights can be easily transferred to all users and groups.
This article describes what options are available and how they should be used.
What types and options of authorization are there?
What types and options of authorization are there ?
The authorizations can either be assigned to individual users or to newly added user groups. A combination is also possible.
Types of Permissions
A basic distinction is made between:
- Object Permissions {{1}} relate to individual folders or the entire process model.
- Functional authorizations {{2}} always refer to the entire process model.
Both types of rights have been set in the properties window under Permissions summarized.
Possibilities of permissions
The following options can be assigned to the respective authorizations:
-
Not specified {{3}}
The value inherited from a higher level applies. If no value is set, the corresponding function is not supported, but can be overridden by allowing. -
Deny {{4}}
The corresponding function is explicitly denied and cannot be overridden by allowing.
-
Allow {{5}}
The corresponding function may be used.
DeleteImportant Note - Overriding Permissions
Deny always overrides Allow , so be very careful with it. For example, if a user is in a group and that group is denied a feature, the user can no longer be allowed that feature by allowing.
object permissions
object permissions
The following options exist for object authorizations:
-
To edit {{1}}
The properties of the object can no longer be edited. If it is a graphic, it cannot be edited. In the case of folders, the addition and removal of new objects and folders are also denied. -
Edit Permissions {{2}}
The permissions of the respective object cannot be edited - the register disappears. -
Consider {{3}}
The object cannot be viewed. The object or the folder disappears from the view in the respective views – opening of graphics is prevented. -
Create {{4}}
Adding objects and folders is prevented. This option has no effect on graphics or other objects that do not have sub-objects. An exception is moving. -
Extinguish {{5}}
Deleting (moving to the recycle bin) is prevented.
Important - Permissions for viflow AND the WebModel
Permissions granted affect modeling in viflow and also viewing in the WebModel . When logging into the WebModel, the user is automatically checked for assigned permissions. If the user cancels the authentication, he is logged on as an anonymous user. Appropriate rights can also be assigned here.
Inheritance of Permissions
Inheritance of Permissions
-
Groups/Users: A user inherits from their groups and each group inherits from parent groups.
This affects object and function permissions. -
Objects: An object inherits from its parent. This only affects object permissions.
Important: This does not affect structural views/outlines at any time!
break the chain of inheritance
(Object) authorizations always affect the folders, the object structure and thus also the underlying folders. If you do not want this inheritance, you can interrupt the inheritance chain with the function of the same name. The permissions of the folder above are then copied once. The authorizations assigned at a higher level then no longer have any effect.
Example: If you assign (object) authorizations to the process model in the overview and do not want them to be inherited by processes, you select Break inheritance chain in the "Processes" folder. Now the authorizations are set once. This inheritance affects the Processes folder and the folders below it. Effective immediately, permissions set at a higher level are no longer applied to the Processes folder (and folders below it).
In addition, there are authorizations that can restrict functions in viflow. These are summarized for users or groups under the item Authorizations - Process model:
- Import from other sources
- Open main version
- Merge Master Shapes
- change options
- empty trash
- Clean up process model
- Import process model
- Add/delete language
- Import translations
- Import Visio file
- Export web model
- Manage web model
How should permissions be granted?
How should permissions be granted?
lock database
If you are working in a database, the database should be locked before changing assigned permissions. This ensures that the changes are transferred cleanly. The database can then be unlocked again.
Grant permissions at folder level
It should never be thought at the structure level, but always at the level of the corresponding folder. Basic authorizations can also be assigned directly to the entire process model via the viflow Overview window.
Important : Those responsible for the process model should always assign themselves the Allow rights as an extra member of a group or as an individual user. If you forget to do this or if you set the rights to Deny , you may lock yourself out of the process model!
First, at the top level in the process model, by setting it to Not set , you can disallow all users from using the relevant functionality. The individual users or user groups should then be given the appropriate authorizations one after the other.
The user anonymous transfers the object permissions to all users of the WebModel without a user ID - the so-called anonymous WebModel.
Note on inherited permissions
Permissions that have been inherited are not directly displayed. Explicitly defined permissions are displayed using an icon. Only permissions that have been set are displayed.
If you want to see which authorization applies to the respective object, you have to click on the authorization itself. Now it is shown below which authorization applies here and where it was inherited from.
Permissions video
You can see a brief introduction to setting up permissions in viflow in this ››› video (approx. 2 minutes).