Attribute-driven role based access
0
Hi Mendix, I am interested an enhanced role based access control that provides ability to set user access (role/privilege/right/etc.) for a limited set of objects specified by access attributes specified with access setting. If and how can such an access control be implemented in Mendix? For example: a warehouse manager role giving access to warehouse management functions not for all warehouses, but specific ones, which are determined when this role is mapped to a user. Actually this attribute belongs to the role mapping and not the role, as different warehouse managers are mapped to different warehouses. (Either the attribute can have 1..* multiplicity or several different warehouse manager role mapping instance should be supported to set with different warehouse value.) Considerations why this information is not a user attribute: this value has not meaning to all users of the company (e.g. finance staff). the warehouse value used for warehouse manager role mapping cannot be the same for all warehouse-specific roles – e.g. a manager can also be supervisor for additoinal warehouses (not managed by him/her). Best Regards, Istvan
asked
Istvan Danyi
2 answers
2
Add an Association from Warehouse to Account . Then to Warehouse’s Accessrules add a rule for role Warehousemanager, having XPath-constraint:
[YourModule.Warehouse_WarehouseManager='[%CurrentUser%]']
Then in the microflow-properties in block Security set ‘Apply entity access’ to Yes and set 'Allowed roles’ to Warehousemanager.
Does that get you what you need?
answered
Tim v Steenbergen
2
You have associations warehouse-accessobject-user.
You could set up an xpath constraint on your warehouse saying:
[module.warehouse_accessobject/module.accessobject/module.accessobject_user = [%CurrentUser%]]
Now you can create access objects and map them to warehouses and users. The users now only have access to the warehouses they are mapped to.
answered
Andreas Blaesius