Introduction

With Access Group configuration, administrators can start configuring ESS2 to be more role-based environment to their end users. With Access Groups configuration, admin can control end user visibility for ESS2 forms, panels, panel groups and URLs. When Access Groups are enabled, all visibility is controlled via Access Groups. This means that the end user has no visibility to to any form, panel, panel group or URL link, unless they belong to access group that allows access to this content.

Access Groups each have a designated set of "Access rights." These Access Groups include "Members" (end users), who are added based on one or more specific conditions. Access right always grant access to content, they can't be used to deny access to content.

Note that one user can be a member to multiple groups. User gets access to content, when any of their groups grant access to said content.

• Enabling or disabling Access Groups can be done in platform settings setting the value true or false to ess2.access.groups.enabled. 
  • Settings ess2.access.groups.enabled.for.forms  and ess2.access.groups.enabled.for.catalog can then be used to enable/disable forms or catalogs.
    • Note, if enabled and there are no groups created, none of the end users see any form, panel, panel group or URL.
    • Access Groups has no impact on Product Catalog content or visibility.
• To modify Person template, admin needs to navigate to platform settings and change the value to the platform setting: servlet.auth.person.template.code
• End users can view content in the ESS2 portal only if it is permitted by any of the Access Groups to which they belong.
• Access rights within an Access Group can be applied to both Forms and Links, controlling the content members can access in the portal.
• When a form is removed from an Access Group's access rights, members of that group will immediately lose access to it.
  • However, if the form was already open, the user interface (UI) must be refreshed for the change to take effect.
  • Access Group members will no longer be able to submit requests through that form, and this restriction takes effect immediately without requiring a UI refresh.
  • Members of the group will lose access to dropdown field options and tooltip data for the form right away, with no UI refresh needed.
• With search, the backend periodically updates the "searchable dataset," which impacts both Forms and Catalog items.
  • As a result, changes to access rights may take up to two minutes to appear in search results.
• Access group permission caches are repopulated every night at 2:45 (AM) system time.
  • This can also be triggered manually from the admin UI (Maintenance - Other Actions), by using the “Clear Persistent Object Caches" button.
    

Note: Root users are not affected by any Access Group restrictions.

Creating a New Group

To create a new Group, click on the “+ New Group” button:

This opens the “New Group” view:

Fill in the name of the Access Group in the Name-field. This is a required field.

To discard all changes and close this view, click on the Cancel-button.

To save current Access Group and close this view, click on the Save & Close -button. At least one complete (Attribute + Value) condition must exist, before a group can be saved.

Definitions

Definition - Conditions which must be met for the access group to have the access right. The maximum number of conditions is 5 and a person data card must match all condition clauses to be considered a member of the group.

To add more conditions, click on the Add-button:

When the maximum number of conditions is reached, the Add-button is disabled:

If more than one conditions exists, these extra conditions can be removed with the Delete-button:

More conditions there are, the more specific the group is, for example, “organization = Matrix42” AND “Cost center = IT Operations” AND “Location = Germany”.

• Attribute - The attribute which is compared to a value (selected from a dropdown list).
  • Same attribute can't be used twice in the same access group.
  • Attribute can be single or multi-value.
  • Can only be a reference attribute. Back reference is not supported.
  • Handlers that only work on the UI, and don't store values to the ESM database, will not work with Access Groups configuration.
    • Not supported handlers are:
      • AutoEntityCreation
      • AutoMailSenderBusinessHoursFinder
      • ChangeStamp
      • Comment
      • CreatorStamp
      • EntitySearchHandler
      • ForeignReferenceHandler
      • QuickFill
      • ReferenceCopy
      • ReferenceTargetFinder
      • SLAFinder
      • TargetDeleter
      • TicketReservation
      • Validator
      • ValueChangeMonitor
• is equal to / is not equal to - The comparison operator between the Attribute and the Value. Can be changed by clicking the field and selecting the operator from the list.
  • For example the condition “Cost center is not equal to IT Operations”, would mean all the cost centers except IT Operations.
• Value - The value to which the Attribute is compared to (selected from a dropdown list).

At least one condition is required, and needs to be completed (attribute + value) to save. 

Access Rights

Define which access rights the group has to Forms and/or Categories.

Both views have the options:

• Select all - Select all visible options.
• Deselect all - Deselect all visible options.
• Show selected only - Only display the currently selected options.

Forms

Choose which Forms the access group has access to. Note that Forms in draft-mode are highlighted with a “Draft” tag. 

Categorization and Links

Choose to which Categories the access group has access to.

The content on the “Useful Links (Home/Link Widget)” is presented with the hierarchy of the Links widget, with panels, panel groups and any links (links to forms or links to URLs) residing in them:

• The main-level object can be expanded (and then collapsed) if it has content (sub-level content) on it.
  • (For example, a panel can be expanded to show the panel groups and links on it, and any links on the panel groups.)
• There is a tag next to the name of item, indicating its type (Panel, Link to Form, Product Catalog, etc.).
• By default, all the items are unselected at the start.
• If selecting the main-level item, it also selects all child items inside it, and if the main object is clicked again, it deselects the main-level and all objects inside it
  • Sub-level objects can be selected / deselected. This is indicated on the parent level with an indeterminate checkbox (the one with line in it).
• The access is on the item level and access to an item gives access to all categories that item is in.
  • If an item is in several categories and user is given access to it, the user will have to that object in all other categories. 
    • For example, item “Smartphone” could be in categories “Mobile devices”, “Phones” and “Personal devices”. Giving user access to “Smartphone” would then open all the categories the item is in (but not the other items in those categories).
• If the form doesn't have access right to the linked content, then an error-icon (orange triangle) is shown.

Catalog

This view is used to configure what catalog items are displayed to the selected role.

• If category has several items:
  • All items are selected, then that category has the checkmark-symbol (✓) in it.
  • Not all of the items are selected, that category is then shown to the end user, but with a line-symbol (-) in it.
• Same item can be in several categories. 
  • If a role has access to that item, the role will get access to all categories that item is in.

Configuration Tips 

• Use filter above the content to narrow down forms, categorization links or catalog items
• When checking if the Person template supports the Access Groups configuration:
  • There must be a single or multi-value reference to templates that are used for role-based configuration.
  • It is recommended to make reference fields to be multi-value in right at the beginning of the configuration.
• Due to the fact that Root users are not affected by any Access Group restrictions, it is recommended to test with normal organizational level users to see how the services are visible to different groups.
• All existing catalog item permissions are automatically deleted when the catalog template is changed. This is so that it is easier to ensure permissions can be set to the new template. 
  • Before changing the catalog template, the admin is warned that all catalog permissions will be irreversibly deleted. 

Restrictions 

• Only single path references are supported on Person template.
  • Access Groups configurations don't support reference paths behind selected reference (or deeper).
• In certain configuration cases, like when attribute is changed from a single value to a multi-value and it is used in a Access Groups configuration, to make sure that the updated Access Groups rights will be correctly updated, there are a few options:
  • Restart containers.
  • End users tries login.
  • End users tries to refresh manually on the ESS2 UI.
• Access Groups don't have any impact to Product Catalog. Even the link to the product catalog can be set to hide on Access Groups configuration.
  • Access Group configuration will not prevent using product catalogue e.g. in cases if customer get direct link to product catalog or navigates there on the homepage tab.