Roles
General Description
Roles define what users can see and do in the application. Plant an App comes with a list of pre-built roles and other roles can added to define your own security logic. Roles can be added, edited or deleted, and can be setup to restrict access at a page level, component level, actions, workflows, entities or any other module specific feature that support permissions (eg: API Calls, Search index rules, etc...
Permision Scheme
Pages
Setting page permission will restrict access to the whole content of a page. Also edit permission can be enabled based on the roles.
Users
Each role can be assigned or removed from a user via the users page in the configuration page of Plant an App.
Entities
Permissions set on a entity level will automatically change the permissions of the autogenerated page and the access of what operations can be done via the user interface like Create Read Update or Delete. Also the same permissions will be applied to the actions witch are used to do CRUD operations like Create, Update, Partially Update, Read and Delete an Entity.
Modules
Each Module individually has each own permissions and can be modified individually to restrict access or grant edit options to roles.
Actions & Buttons
All the actions and buttons that can be used in the Plant an App platform have 2 settings called Condition (Show Condition) and Enable Condition that supports tokens. Based on those we can create complex access securities with the HasRole token. [HasRole:RoleName]
will check the logged-in user (or the user from Load User/Load Users from SQL and return true
or false
depending if the user is in that role or not. (eg: [HasRole:Admin] == true
can be used on a button to only enable it for a user in the Admin role.md)
API JWT Authentification
Authenticating with JWT to use an API resources has to be done in the name of a user so permissions can be set to only permit access to specific users in those roles.
Search Index Rules
All or some results may be restricted (not shown) based on the roles by specifying the roles who have access to each result.
Role Management
Adding Roles
Click on the NEW
button on the top right of the page to start adding a new role. Input the Role Name and Role Description. Click Save to add the new role.
Editing Roles
In the user grid find the role you want to edit and click in the edit icon to open the edit dialog. Modify the Role Name and/or Role Description. Click Save to modify the role.
Removing Roles
In the user grid find the role you want to delete and click in the delete icon (trash can) to open the delete dialog. Click Yes to delete the role.
Built-In Roles
Admin
It's intended for users that need to manage the application settings and can also manage users in the Built-In roles. People in this role are involved in the development of the application. This role can't be edited or deleted.
Citizen Developers
It's intended for users that need to manage the application settings, like creating the application screens and the business logic/flows associated with them. People in this role are involved in the development of the application. This role can't be edited or deleted.
Managers
It's intended for users that need to access to all data stored in the system. Can manage all users except Admins and Citizen Developers. This role can't be edited or deleted.
Low-Level roles
Administrators
It's intended for users that manage the Plant an App instance and full control over all the settings of the app except that it can't create other administrators. It enables advanced settings that may affect the stability of the platform. It can be enabled by the Plant an App support if required for cloud hosted instances. On premise deployment should have at least one account with this role already enabled. Keep in mind that the Administrator role has all the other Roles enabled regardless of the user settings. Tokens like [HasRole:RoleName]
will return true in all situations.
Super User
This is a flag that can be added to the Administrators Role and enables the user to manage the Administrators. Also enables some extra settings like cache management or the SQL Console.
Examples
1. Manageing the entity roles
- Create a new role
- Create a new user
- Assigned the newly created role to the user
- Create a new entity
- On the permission tab set the
Can view
to Own Entries andCan add
setting to checked on the row of the role - Login as the newly create user and access the page of the newly created entity
- You can add a new entry but editing or deleting are not enabled.
- Go to step 5 and change the permission to explore more. You can login with other users from other roles to explore the other behaviors.