Version: v5.0

Permissions

Permissions#

In the Reference App, each user group has different permissions, which are created during the project setup. To give a user access to your project, invite them to a user group that relevant to the permissions they require. For example, if you want the user to be able to read and edit but not create items, invite the user to the File Contributor user group.

Creating permissions during project setup#

The project's permissions are created during the project setup when the user groups are created. In configUpload.js, the user groups are defined in the userGroupDescriptors array and created in the platform using IafProj.addUserGroups.

let userGroupDescriptors = [  {    _name: "Proj Admin",    _shortName: "proj_admin",    _description: "Proj Admin User Group",    permissions: {      //accessAll is for easy creation of an admin with access to everything      accessAll: true,    },  },  {    _name: "File Contributor",    _shortName: "file_contrib",    _description: "File Contributor User Group",    permissions: {      workspaces: [{ actions: ["READ", "EDIT"] }],      namedUserItems: [{ actions: ["READ", "EDIT"] }],      files: [{ actions: ["READ", "EDIT"] }],      graphicsdata: [{ actions: ["READ", "CREATE"] }],      orchestrator: [{ actions: ["READ", "EDIT"] }],      permissionProfiles: [{ actions: ["READ", "EDIT"] }],    },  },  {    _name: "Viewer",    _shortName: "file_reviewer",    _description: "File Reviewer User Group",    permissions: {      workspaces: [{ actions: ["READ"] }],      namedUserItems: [{ actions: ["READ"] }],      files: [{ actions: ["READ"] }],      graphicsdata: [{ actions: ["READ"] }],      orchestrator: [{ actions: ["READ"] }],      permissionProfiles: [{ actions: ["READ"] }],    },  },];
userGroupDescriptors.forEach((ug) => {  ug._name = `${project._name} ${ug._name}`});
const userGroups = await PlatformApi.IafProj.addUserGroups(  project,  userGroupDescriptors,  ctx);

User permission accumulation#

A user's permissions for a project accumulate. For example, if you invite a user to the Viewer and File Contributor user groups, that user receives the permissions for both user groups. As a result, if the user logs in as a Viewer, they will still have edit permissions, not read only.

Editing permissions for project setup#

You can alter the definitions in the userGroupDescriptors array to acheive the following:

Edit actions for a permission
Add permissions to user groups
Create a new user group with custom permissions and actions

let userGroupDescriptors = [  ...  {    _name: "Viewer",    _shortName: "file_reviewer",    _description: "File Reviewer User Group",    permissions: {      workspaces: [{ actions: ["READ"] }],      namedUserItems: [{ actions: ["READ"] }],      files: [{ actions: ["READ", "EDIT"] }], //Adds EDIT action to permission      graphicsdata: [{ actions: ["READ"] }],      orchestrator: [{ actions: ["READ"] }],      permissionProfiles: [{ actions: ["READ"] }],      apiconfigdefs: [{ actions: ["READ"] }] //Adds apiconfigdefs permission to user group    },  },  //Creates a new user group with custom permissions  {    _name: "Custom UG",    _shortName: "custom_ug",    _description: "Custom User Group",    permissions: {      workspaces: [{ actions: ["READ"] }],      namedUserItems: [{ actions: ["READ"] }],      scripts: [{ actions: ["READ"] }],      userConfigs: [{ actions: ["READ"] }],    },  },];

Possible permissions via IafProj.addUserGroups#

workspaces
namedUserItems
namedUserColls
files
scripts
userConfigs
apiconfigdefs
orchestrator
graphicsdata
permissionProfiles
telemetryconfigs
schemadefinitions
publish_requests
usergroups

Possible actions via IafProj.addUserGroups#

'READ'
'CREATE'
'EDIT',
'DELETE'
'SHARE'
'ASSIGN'
'RUN'
'*'

Case study: IafViewer graphics data permissions#

The IafViewer has a feature that enables the user to add graphics data such as annotations to the rendered model. From platform version 5.0 this feature has a permissions structure that determines if a user can read, create, edit or delete graphics data.

To demonstrate this functionality, the following graphicsdata permissions were required for the following user groups:

Proj Admin can read, create, edit or delete graphics data
File Contributor can read and create graphics data but cannot edit or delete them
Viewer can read graphics data only

To acheive this, the following updates were made to the user group definitions:

let userGroupDescriptors = [  {    _name: "Proj Admin",    _shortName: "proj_admin",    _description: "Proj Admin User Group",    permissions: {      //accessAll is for easy creation of an admin with access to everything      accessAll: true,    },  },  {    _name: "File Contributor",    _shortName: "file_contrib",    _description: "File Contributor User Group",    permissions: {      //other perms       graphicsdata: [{ actions: ["READ", "CREATE"] }],     },  },  {    _name: "Viewer",    _shortName: "file_reviewer",    _description: "File Reviewer User Group",    permissions: {      //other perms      graphicsdata: [{ actions: ["READ"] }],    },  },];

Updating permissions for existing user groups#

If you need to update a user group's permissions for an existing user group and project, you can use the REST API. You must create the permission in the platform service that contains the resource type.

For example, if you want to add a read permission for orchestrators, make your PUT request to the Datasources Service permissions endpoint:

  PUT https://api.in.invicara.com/datasourcesvc/api/v1/permissions?nsfilter=mycustomProj123

In the request body, add the resource description that targets orchestrators in the namespace:

  [    {      "_namespace": "mycustomProj123",      "_user": {        "_id": "1deb5bfa-9ae3-463a-bc91-fed1642ffe20", //user group id        "_type": "usergroup"      },      "_resourceDesc": {        "_irn": "datasourcesvc:orchestrator:*" //targets all orchestrators      },      "_actions": [        "READ"      ]    }  ]