Groups and permissions

CMDBuild permissions are based on:

User groups (roles)
Permissions assigned to a user group on various items: classes (even with restrictions on rows and columns), processes, views, search filters, dashboards, reports, custom pages, import / export templates
User - group associations

Therefore you can:

Set user groups with specific permissions for each element configured in the system
Add users to one or more groups; the user inherits permissions from the group

Further functions, gathered in the TAB "UI Setup", allow the definition of additional permissions on elements of the user interface, removing some standard functionalities of CMDBuild and simplifying the interaction interface for some users' groups.
CMDBuild supports also the management of "multitenant", where a set of the CMDB data (section) is reserved to the users belonging to a suborganization of the CMDBuild instance, e.g. a Group Society, a Seat, a Division, etc.

Properties tab

The function allows you to create new users' groups and edit the properties of the old ones.

There is the possibility of performing the following operations:

Create a new users' group
Do searches on the configured groups
Edit the selected group
Disable the selected group (set the status as non-active)

Each group needs some parameters to be compiled (metadata), as mentioned below.

General properties

The following information is required:

Activity name: Name of the group
Description: Description of the group
Type: Which includes the following possibilities:
- Normal: the most common one. It concerns operators using the application
- Administrator in read-only mode: read-only access to the Administration Module
- Limited administrator: possibility of working on the system configuration, except for the ones that edit the data model (classes, processes, domains)
- User creation administrator: it can create only users and groups, useful especially in case of multitenant, to operate only on the assigned tenants
- Complete administrator: use of all features of the Administrator Module without limitations
Email: user's e-mail address, to receive any message provided by the system
Starting page: it allows you to select the page where the application for the current users' group has to be opened when accessing the Management Module
Active: the group is active and can be used

Permissions tab

The feature allows you to confer access permissions for the current users' group on various items configured in CMDBuild.
Through the second-level tabs described below, permissions can be defined on classes, processes, views, search filters, dashboards, reports, custom pages, import / export templates.

TAB Classes

This tab allows you to define permissions on classes defined in the system.

There is the possibility of performing the following operations:

Do searches on the configured permissions
Enable the hierarchical view (superclasses, subclasses)
Edit the list of permissions

If you choose to edit permissions, you can perform the following operations:

Clone permissions from another group
Set permissions that are the same for all rows of the list, working on the checks in the columns headers
Reduce the permission set on that class, both on rows when a filter is applied and on columns
Delete the set restrictions
Disable some actions on the CMDBuild standard user interface for the selected class
Remove the button disabling on the user interface
Save the changes
Exit without saving current edits

Restriction of permissions on rows and columns

As mentioned above, you can reduce access permissions to the rows or columns of the selected class.
Through the "Filter" icon you can access a popup window that presents two tabs called "Privileges on rows" and "Privileges on columns".

Privileges on rows

The restriction of permissions on rows can be done by defining a filter in two different ways:

By setting filter criteria on the attributes of the specified source class (Attributes tab), with the same modalities used in the Management Module for the advanced search
By using a pre-defined PostgreSQL function, that will be created with the following criteria:
- It must report the comment "TYPE: function"
- It has to include the input and output parameters, clearly showing the name of each of them
- The input and output parameters have to be chosen among the following ones: "character varying", "boolean", "integer", "numeric", "double precision", "date", "time", "timestamp","text" (not "bigint")
- In case that the function becomes more "tuple" than the output values, you should use the syntax "Returns setof record"

Here are two samples of defining the filter.

Through the attribute filter set with the same modalities used in the Management Module for the advanced search:

Through PostgreSQL function:

In both cases, if the permission is write-type, you can specify if the rows not included in the filter can be displayed in only-read mode or not displayed at all.

Privileges on columns

The restriction of permissions on columns can be done in the following ways:

Not-visible attribute
Only-visible attribute
Even-editable attribute

Here's an example of screenshot:

GIS privileges

The restriction of permissions on geographical attributes can be done in the following ways:

Not-visible attribute
Only-visible attribute
Even-editable attribute

Here's an example of screenshot:

GUI buttons control

You can enable (default) or disable all the permissions linked to insert, edit, delete, clone, graph access and print actions for the selected class from the user interface in the CMDBuild data Management Module.
It is also possible to enable (default) or disable all the permissions linked to the massive edit and massive delete operations on the selected class from the user interface in the CMDBuild data Management Module.
In conclusion you can also enable (default) or disable all the permissions linked to the Details, Notes, Relations, History, Email, Attachments, Scheduling TABs for the selected class from the user interface in the CMDBuild data Management Module.
Finally, you can define permissions on the attachments available in the class, according to the DMS ategory.
This option is only related to the CMDBuild standard GUI and has no consequences on the operations performed through other user interfaces or webservices.
Here's the screenshot of the pop-up window provided by the system.

Processes TAB

This tab allows you to define permissions defined in the system.

The same features described for classes are available, with the following differences:

permission types are not "None", "Read", "Write". They are:
None: the process is not visible to the current group
Base: the process can be managed for the current group only in case the ongoing activity belongs to it (in contrast to the following type which keeps visible also the processes previously executed)
Default: permissions derived from the XPDL descriptor of the process are applied (a group of users can edit / advance a process if the current activity is in the "lane" of the current group, they can view a process if they edited / advanced it in a previous step)
Default + Read: besides permissions derived by the XPDL descriptor, the users' group has Read permissions on the process
the disabling option is not available for certain buttons on the user interface of the Management Module