¶ 1. Overview
Roles are used within T6 to restrict or allow access in specific cube contexts. We can also define whether the user will have read and write access, or only read access, within these contexts in the form. This makes it possible for different users to have broader or more restricted views of the information contained in the same form.
A Role is an excellent way to restrict access in forms. However, this feature should be used with caution, as the more restrictions defined, the longer it will take to load the forms.
Roles will only be applied if the Create and view data entry forms functionality is disabled for the user in the Manager profile functionalities.
¶ 1.1. Prerequisites
To create and edit roles in T6, we will need to have certain Features enabled:
- Administrator: Manage the security of the application (full) (multi-app); and Manage System Users
- Manager: Manage Application Security;
A user can only grant permissions in roles they own or have permissions for.
¶ 2. Functionality
Through roles, we can perform the following functions:
- Allow or restrict the viewing and editing of a context within a cube form (this can apply to a specific user or a group of users);
- Create, edit, and delete roles;
- View the roles registered in the application;
- Define the type of role;
- Configure the role as static or dynamic.
¶ 3. Usage
To create a new role in T6, follow these steps:
- In the T6 main menu, we can access two possible paths:
- Select the Explorer option;
or - Select the Access Control → Role option;
- Select the Explorer option;
- Click on
in the New section of the ribbon, go to Access Control and select Role; - After creating the new role, select it and click on
; - A panel will open on the side where we will configure the role;
- The following fields will be available for completion:
-
Name: Name of the role, which will be displayed in the explorer listing;
-
Description: Description of the role, which will be displayed in the explorer listing;
-
Application: Select the application to be linked to the role;
-
Permissions: Select one of the following options:
- Allow Read/Write: Grants permission to the cells defined in the members of the dimensions to which we want to apply the role.
- Deny Read/Write: Blocks permission to the cells defined in the members of the dimensions to which we want to apply the role.
- Allow Read: Grants read permission to the cells defined in the members of the dimensions to which we want to apply the role.
- Deny Write: Blocks write permission to the cells defined in the members of the dimensions to which we want to apply the role.
- Process: A special type of role that, based on the process parameters associated with the dimensions of the current application to which the role is associated, will calculate the scope of the role at runtime, according to the process instances that the user currently has.
-
The user needs a role to be able to view the data of the application forms; we must have at least one role granting read and write permission to the users who will use the form.
If we use the allow read and write permission and include a member, the system will automatically grant permission only to the selected member, and restrict all others. That is, if we want to allow read and write, we do not need to specify any member in any dimension, just save the role blank. Then we will add other roles for restrictions.
If read and write are denied for a specific member, all other members will automatically be allowed.
If we do not have a role allowing read and write in the application and allow read and write for a specific member, all other members will automatically be restricted from viewing and editing.
Restriction roles will always override permission roles.
¶ 3.1. Static Roles
In Static Roles, we will have the context in table form, where we will select the dimensions and the members to be linked to the role;
- Select the dimension by clicking on
; - A new screen will open in the panel: Member Selection, click on
; - We can select the Hierarchy, if the selected dimension has one, by clicking on
; - We can also select the Aggregation by clicking on , and the following options will be displayed:
Click to display Aggregation options.
| Aggregation | Description |
|---|---|
| Member | Selects only the reference member |
| Descendants | Selects all descendants of the reference member |
| Descendants (inc) | Selects all descendants of the reference member, including itself |
| Ancestors | Selects all ancestors of the reference member |
| Previous | Selects the directly preceding member in the member tree, at the same level as the reference member |
| Next | Selects the directly following member in the member tree, at the same level as the reference member |
| Previous (Relative to the parent) | Selects the previous member at the same level and relative to the parent of the reference member |
| Ancestors (inc) | Selects all ancestors of the reference member, including itself |
| Same Level Members | Selects all members at the same level as the reference member |
| Same Level Members (inc) | Selects all members at the same level as the reference member, including itself |
| Parent Member | Selects the parent of the reference member |
| Next (Relative to the parent) | Selects the next member at the same level and relative to the parent of the reference member |
| Previous (Relative to the root) | Selects the previous member in the member tree, at the same level and relative to the root of the member tree |
| Next (Relative to the root) | Selects the next member in the member tree, at the same level and relative to the root of the member tree |
| Parent Member (inc) | Selects the parent of the reference member, including itself |
| Children Member | Selects the children of the reference member |
| Children Member (inc) | Selects the children of the reference member, including itself |
| Descendants without children | Selects all leaf descendants (those without children) of the reference member |
| Previous members same root (inc) | Selects the previous members in the member tree, at the same level and under the same root as the reference member |
| Next members same root (inc) | Selects the next members in the member tree, at the same level and under the same root as the reference member |
| Previous members same amount children root (inc) | Selects the previous members of the reference member, under the same root and with the same number of children |
| Data Member | Selects only the Data Member of the selected member |
| Descendant Data Members (inc) | Selects all Data Members descendants of the reference member, including its own Data Member |
| Exclude Member | Excludes the reference member |
| Exclude Data Member | Excludes the Data Member of the reference member |
| Next members same amount children root (inc) | Selects the next members of the reference member, under the same root and with the same number of children |
| Children [Words-DataMember] | Selects only the Data Member children of the selected member |
By default, the aggregation will be set to Member.
- Below the hierarchy and aggregation boxes, there is a list of available members for selection;
- Select the desired members by clicking on
; - The selected members will appear above the hierarchy and aggregation boxes;
- You can change the aggregation of an already selected member by clicking on
in the selected members list; - After selecting the members and aggregation, click on
; - In the context table mentioned earlier, the selected members and aggregation will now be displayed as shown in the example below:
- After selecting the desired members and aggregations, click on
.
¶ 3.2. Dynamic Roles
In Dynamic Roles, we will need to select a data table. The existing contexts in the selected table will be displayed, and we will select the contexts and columns to be linked to the role;
- In Table, select the data table where we will configure the permissions (the table name will be displayed according to the database);
- The displayed contexts take into account the contexts configured in the selected application;
- The columns available for selection will appear according to the database columns of the selected table, but the permissions linked to the role will only take effect on the form columns (the columns displayed in the interface);
- Choose the context and, next to it, the table column, by clicking on ;
- After selecting the columns in the contexts, click on .
¶ 3.3. Association
¶ 3.3.1. Add User
To associate a role with a user, follow these steps:
-
Select the role you want to associate and click on
; -
A side panel will open, where we will select Users;
- Users: From the created role, we can select which users will have the permissions contained in the role;
- Click on
and the available users for selection will be displayed; - Check the checkbox next to the name of the user you want to associate;
- Click on
;
-
After selecting the users to be associated with the role, click on
again; -
To finish, click on
.
¶ 3.3.2. Remove User
To remove users from a role, follow these steps:
-
Select the role from which you want to remove users and click on
; -
A side panel will open, where we will select Users;
- Users: We will have a list of users associated with the role;
- Click on , where the users associated with the role will have the checkbox enabled;
- Uncheck the checkbox next to the name of the user you want to remove from the role;
- Click on ;
-
After selecting the users to be removed from the role, click on
again; -
To finish, click on
.
Only users who have permission in the application selected in the role and users the logged-in user has permission to view will be displayed in the list.
¶ 3.3.3. Add Group
To associate a role with a group, follow these steps:
-
Select the role you want to associate and click on
; -
A side panel will open, where we will select Groups;
- Groups: From the created role, we can select which groups will have the permissions contained in the role;
- Click on and the available groups for selection will be displayed;
- Check the checkbox next to the name of the group you want to associate;
- Click on ;
-
After selecting the groups to be associated with the role, click on
again; -
To finish, click on
.
¶ 3.3.4. Remove Group
To remove groups from a role, follow these steps:
-
Select the role from which you want to remove groups and click on
; -
A side panel will open, where we will select Groups;
- Groups: We will have a list of groups associated with the role;
- Click on , where the groups associated with the role will have the checkbox enabled;
- Uncheck the checkbox next to the name of the group you want to remove from the role;
- Click on ;
-
After selecting the groups to be removed from the role, click on
again; -
To finish, click on
.
¶ 4. Q&A
Frequently Asked Questions
1. What are Roles in T6?
Roles are used to restrict or allow access in specific cube contexts, defining whether the user will have read and write access, or read-only access, within forms.
2. Which features must be enabled to create roles?
To create and edit roles, the user must have the following features enabled:
From Administrator: Manage the security of the application (full) (multi-app) and Manage System Users.
From Manager: Manage Application Security.
3. What is the performance impact of using roles?
The greater the restrictions defined in roles, the longer form loading time will be, so they should be used with caution.
4. Can I grant permissions in any role?
No, a user can only grant permissions in roles they own or have permissions for.
5. Which permission types can I configure in roles?
There are 5 permission types that can be configured in roles:
- Allow Read/Write;
- Deny Read/Write;
- Allow Read;
- Deny Write;
- Process (special type that calculates scope at runtime).
6. How does "Allow Read and Write" work in roles?
The Allow Read and Write permission in roles works as follows:
If any member is included, the system will automatically grant permission only to the selected member and restrict all others.
To allow all members, do not specify any member in any dimension.
7. What happens when I use "Deny Read and Write" in roles?
When a role uses Deny Read and Write on a specific member, access to that member is automatically blocked, while all other members are allowed.
8. What happens when there is a conflict between permission and restriction roles?
When there is a conflict between permission and restriction roles, Restriction Roles always override permission roles.
9. What is the difference between Static and Dynamic Roles?
The difference between the two role types is how the context is selected.
Static Roles use a table-based context where you select dimensions and members;
Dynamic Roles use a data table where you select contexts and table columns.
10. Which aggregation options are available in static roles?
There are more than 20 aggregation options available for selection in static roles. All options are listed below:
| Aggregation | Aggregation | Aggregation | Aggregation |
|---|---|---|---|
| Member | Descendants | Descendants(inc) | Ancestors |
| Previous | Next | Previous(relative to parent) | Ancestors(inc) |
| Same level members | Same level members(inc) | Parent member | Next(relative to parent) |
| Previous(relative to root) | Next(relative to root) | Parent member(inc) | Children member |
| Children member(inc) | Descendants without children | Previous same root(inc) | Next same root(inc) |
| Previous same amount children root(inc) | Data member | Descendants data member(inc) | Exclude member |
| Exclude data member | Next same amount children root(inc) | Children data member |
11. How do I associate users with a role?
To associate users with a role, the role must already exist. Follow the steps below:
- Open Explorer and select the desired role;
- Click Permissions in the ribbon;
- In the side panel, select the Users tab;
- Click Manage;
- Check the desired users;
- Click Apply;
- Click Save.
12. Can I associate groups with roles?
Yes, but to add groups to roles, the role must already exist. Follow the steps below:
- Open Explorer and select the desired role;
- Click Permissions in the ribbon;
- Go to Groups in the side panel;
- Click Manage;
- Check the desired groups;
- Click Apply;
- Click Save.
13. How do I create a new role?
To create a new role, follow the steps below:
- In the T6 main menu, open Explorer;
- Click New Item in the ribbon, in the Access Control section, and select Role.
- Fill in the role Name.
- Select the Application.
- Define the Permissions.
- Configure the role as Static or Dynamic, selecting members in each dimension.
- Click Save.
After creating the role, you can associate users and/or groups with it.