locked
Security on domain entities RRS feed

  • Question

  • Hello,

    I have some questions about security, which I can not seem to implement the way I would like: to hide the domain entities in the Entities list.

    In my Services model I have quite a number of entities which are used only as a domain for other attributes, for example an entity IsTrueOrFalse (with 2 values: True & False). This entity is used as a domain for a number of attributes, e.g. the attribute IsGlobalService on an entity called Service.

    Now, I do want users to be able to update the Service entity and its IsGlobalService attribute. But I would rather not have the IsTrueOrFalse entity show up in the Entities list in the Explorer. Is that possible? When I set the Update rights on the Service, the Entities list automatically shows all the entities used as a domain by the Service attributes.

    I also tried the ‘Deny’ option in the security model. At first sight that seemed to have the desired effect: the IsTrueOrFalse entity was not visible in the Entities list anymore. However, when I tried to edit the IsGlobalService attribute on a certain Service, the drop down list was blank also. Even worse: after leaving the field, even when I use Esc, the field is blank! The value that was previously there is gone.
    Is this really how this is supposed to work...?

     

    Wednesday, July 28, 2010 2:17 PM

Answers

  • Hi Susanne,

    It is working as expected based on the current implementation of domain based attribute permissions.  If the user has access to a domain based attribute, the associated domain entity will be displayed in the entities list in Explorer and will provide Read access to the members in that entity.  Note that only the Name and Code will be displayed in those domain entities unless other permissions are defined.

    There is a logged enhancement request, that is being considered for a future release, to prevent these domain entities from being displayed.

    One thing you could try to improve usability for the user is to follow the steps below to specify the entities to be displayed to the user on the main Explorer page.  Then they could click through the specified entities to get to entity explorer rather than having to use the Entities menu.   Note that the entities menu would still contain the domain entities, but this approach can help to focus the user on the entities that they care about.

    1.  Go to System Administration and expand your model in the tree strucutre on the left of the page.

    2.  Next expand the model.  You may already have an entity displayed directly under the model.  Any entities that are displayed directly below the model in this tree will control the display of entities in the main Explorer page.

    3.  To select the entities you want to display, click on the model in the tree and notice that all of the entities are then displayed on the rigtht of the page.  You can then drag those individual entities over and drop them on the Model in the tree structure so that the entities appear directly below the model.

    4. Then when you go to Explorer, you will see those specified entities listed on the left side of the main explorer page.  You can then click an entity which will then display its attributes and and edit and add buttons will be displayed allowing the user to go to entity explorer for the selected entity or directly to the add member page.

    So even though all the domain entities are still displayed in the menu, you can use this as a way to present specific entities to the user and allow for navigation without using that menu. 

    Perhaps you can give it a try and see if that would help at all in this case.

    Regards,

    Pam

    Wednesday, July 28, 2010 9:07 PM

All replies

  • Hi Susanne,

    It is working as expected based on the current implementation of domain based attribute permissions.  If the user has access to a domain based attribute, the associated domain entity will be displayed in the entities list in Explorer and will provide Read access to the members in that entity.  Note that only the Name and Code will be displayed in those domain entities unless other permissions are defined.

    There is a logged enhancement request, that is being considered for a future release, to prevent these domain entities from being displayed.

    One thing you could try to improve usability for the user is to follow the steps below to specify the entities to be displayed to the user on the main Explorer page.  Then they could click through the specified entities to get to entity explorer rather than having to use the Entities menu.   Note that the entities menu would still contain the domain entities, but this approach can help to focus the user on the entities that they care about.

    1.  Go to System Administration and expand your model in the tree strucutre on the left of the page.

    2.  Next expand the model.  You may already have an entity displayed directly under the model.  Any entities that are displayed directly below the model in this tree will control the display of entities in the main Explorer page.

    3.  To select the entities you want to display, click on the model in the tree and notice that all of the entities are then displayed on the rigtht of the page.  You can then drag those individual entities over and drop them on the Model in the tree structure so that the entities appear directly below the model.

    4. Then when you go to Explorer, you will see those specified entities listed on the left side of the main explorer page.  You can then click an entity which will then display its attributes and and edit and add buttons will be displayed allowing the user to go to entity explorer for the selected entity or directly to the add member page.

    So even though all the domain entities are still displayed in the menu, you can use this as a way to present specific entities to the user and allow for navigation without using that menu. 

    Perhaps you can give it a try and see if that would help at all in this case.

    Regards,

    Pam

    Wednesday, July 28, 2010 9:07 PM
  • Pam, thanks for the clear and extensive reply. Good to hear that there is already an enhancement request. I have implemented your suggestion and the team agreed that it is an improvement for the users.  

    Saturday, July 31, 2010 8:56 AM
  • just as a side node, this "workaround" also works with MDS2012

    But in MDS2012 in Web-UI the "Entity-Menu" ist now filtered correct! (Domain Entities without explicit permissions are NOt listed)
    But in MDS2012 Excel-AddIn "Explorer" you get still ALL Entities listed (which you have permissions and entities used as lookup domains )

    Thursday, August 8, 2013 9:44 AM