[Legacy] How to :: setup and generate permissions

What’s that ?

Permissions are access rights for a specific group of users.

ie: “My users from the group France can only see France’s data and reports”

You can do powerful things in the code mode described here, but for most of your use cases of row-level security you can use our dedicated graphical interface.

How does it work ?

Note

Reminder : a report.cson looks like this :

name: "Name of the report"
entityName: "{{ report_id }}" # This column must exist in the data returned by the REPORTS block query
entityGroup: "{{ report_group }}"
id: "{{ index }}" # DO NOT CHANGE THIS
date: "July 2015"
managerName: "{{ manager_name }}" # Optional: This is how you can add more info to a report (see the data example above)
...

The goal is just to bind your user groups with the info of your reports (e.g its entityName, its entityGroup…)

We will need:

  • a file (csv, excel) mapping the user groups to the info of your reports
  • to fill the block PERMISSIONS_DATA in the etl_config.cson to set the domain of this file
  • a script permissions.py, which reads the data associated to this file and makes the whole logic

Setup permissions : the easy way

By default if you create a new small app everything should be set up for you !

  • a file user_groups_permissions.csv (with domain user_groups_permissions) should have already been added
  • the block
PERMISSIONS_DATA:
  query:
    domain: 'user_groups_permissions'

should already be in your etl config

  • the script permissions.py (available in the Files section) should already look like this

You just need to modify the file user_groups_permissions.csv , run the preprocess and release for its domain, and you should be good to go !

How to modify this file

The user_groups_permissions.csv needs to be filled with your user groups and the info of your reports.

Warning

Each column name (except the user_group and the default_report ones) has to be a key of your reports !

Let’s imagine our reports are written as above with an extra city field. We have a business in Paris and Rouen with two main fields. If we have a user_groups_permissions.csv like this:

user_group entityName entityGroup city managerName default_report
Paris field 1 partner paris_field1_1 field 1 Paris   1
Paris field 2 partner paris_field1_2       1
Paris field 1 manager paris1_field1_1       1
Paris field 1 manager paris1_field1_2        
Rouen field 1 manager   field 1 Rouen    
France field 1 manager   field1 Paris    
France field 1 manager   field1 Rouen    
France manager     Rouen    
France manager     Paris    
Thomas Anderson       Thomas Anderson 1

it would mean:

  • rows 1-2: a partner of field 1 in Paris can only see one report (whose entityName is paris_field1_1 and entityGroup is field 1 and city is Paris). As entityName is unique in the example, row 2 also works !
  • rows 3-5: managers of field 1 in Paris can see two reports (whose entityName is paris1_field1_1 or paris1_field1_2). By default they should see the report paris1_field1_1 ! Managers of field 1 in Rouen can see all the reports whose entityGroup is field 1 and city is Rouen
  • rows 6-7: managers of whole field 1 in France can see the all the reports whose entityGroup is field1 of Paris and Rouen.
  • rows 8-10 Our managers of France can see all the reports of Rouen and Paris. If Mr Anderson has two groups Thomas Anderson and France Manager, he will see by default the report whose managerName is Thomas Anderson but could consult all the others.

Safety net

If a user doesn’t belong to any group or to some groups that are not mapped to permissions, he will have access to everything. If you don’t want this behaviour, you can add the flag see_all_reports_by_default: False in the PERMISSIONS_DATA block.

PERMISSIONS_DATA:
  query:
    domain: 'user_groups_permissions'
  see_all_reports_by_default: False

With this flag set to False, this kind of user won’t have access to any report in the small app. It will hence be mandatory for him to have reports permissions configured.

Setup permissions : going further

If the easy way doesn’t suit your needs, you can always modify the script permissions.py in the Files section.

Here is the default permissions.py