4 Replies Latest reply: Apr 18, 2013 10:42 PM by SarahInVancouver RSS

    JHeadStart permissions

    SarahInVancouver
      Is it possible to build 'global permission' with JHeadStart? And is it possible to build read only permission?

      For example, we have Employee and Job 2 groups for the HR module. If you look at JHS_PERMESSIONS table, there are 4 records for employee and another 4 records for jobs. For the 4 records we have, 1 is for group access and the other 3 are for add, update and delete operations.

      My questions, is it possible to create 2 high level permissions, I call them as global permissions: HR_READ and HR_FULL.

      HR_READ is the group of read only permission of employee and job; HR_FULL is the group of full permissions for both employee and job.

      I know there is no read permission with JHeadStart though.

      Is it achievable to implement the above requirements? We don't want to build roles for the above requirements.

      Thanks in advance!
        • 1. Re: JHeadStart permissions
          Stephen J.
          Sarah, you should be able to just add those permissions in the table, link them to the appropriate roles, then in the JHS definition editor, instead of using:
          Insert Allowed EL = #{jhsUserRoles['$GROUP_NAME$.create']}
          Update Allowed EL = #{jhsUserRoles['$GROUP_NAME$.update']}
          Delete Allowed EL = #{jhsUserRoles['$GROUP_NAME$.delete']}

          just use #{jhsUserRoles['HR_FULL']} for all three

          The group access permission you mentioned is a read-only permission. If the role that a user belongs to has that, and none of the other three, they should have read-only access to that group.
          • 2. Re: JHeadStart permissions
            BradW
            So, this was a little bit more complicated that this... :) We needed to add the permissions manually to the generated taskflow adfc-config file. Without this, you can see the tab, but not the content of the taskflow. We have a note into Steven D. about this. Will update if there is a solution.


            BradW
            • 3. Re: JHeadStart permissions
              Steven Davelaar-Oracle
              Brad,

              The permission list in the task flow config is generated using the macro

              #GROUP_PERMISSION_LIST($group)

              To add your custom permissions, you can override this macro in your custom macros file as explained in section 12.3.5 of the dev guide.

              The generated permission list is based on the assumption that you use group permissions, which conflicts with the idea of a global permission.

              I would implement your use case with a role that has all permissions granted.
              As a matter of fact, JHeadstart already manages this role for you, it is called ADMIN by default, and all permissions are added to this role.

              You can rename the role to SYSADMIN_FULL using the application level property "Administrator Role".

              Steven Davelaar,
              JHeadstart Team.
              • 4. Re: JHeadStart permissions
                SarahInVancouver
                We will try to create custom macro. Thanks Steven.