Configuring permissions
In the Permissions section you can create additional configurations to permissions of contracts.
You can store different rules. To do this, enable the rules engine. This allows you to automatically execute rules that cause additional permissions to be stored on the contract.
Activate the rule engine - This is how it works
Log on to https://contracts-config.d-velop365.com/.
Choose your configuration.
Choose Permissions.
Set the following switch in the JSON file:
Button for the rule engine
"ruleEngineEnabled": true,
Save your changes by clicking Save.
The permission rules are executed when new contract properties are created or modified. In this process, all rules are checked to see if they are applicable and if their permissions should be applied to the contract. The total number of permissions determined in this way is applied to the contract. Invalid permissions are deleted.
Note
Please note that changes to the permissions not automatically take effect for all existing contracts. If you would like the adjustments to apply to all existing contracts as well, please contact our support team (support@d-velop.de).
Please also refer to the following chapters:
Parameters for configuring the permissions
The following parameters are available for configuring permissions:
restrictItemPermissionWhenCreated: Breaking the inheritance of role assignments.
uniquePermissionsEnabled: Specifies whether, in the contract display and creation view, the user should be able to give other users read access to their contract.
ruleEngineEnabled: Specifies whether the rules below should be applied.
rules: Here you define the rules according to which users are assigned permissions.
The following configuration options are available for the rules:
priority: The priority according to which the rules are processed. The larger the number, the more likely the rule will be processed.
condition: The condition under which the rule is applied, you can be configured so:
all: All conditions in this list must be met.
any: Any of these conditions must be met.
In the all or any listsfurther conditions can be written with all or any.
A condition can be specified with the following options:
fact: A value from the contract.
path (optional): Can be used if the fact is an object or array and you wish to access a value (see, for example, below).
For fields of the type multi-choice
"path": "$.results"
For fields of the type managed metadata
"path": "$.TermGuid"
operator:
For text and numbers:
equal
notEqual
For numbers:
greaterThan
lessThan
greaterThanInclusive
lessThanInclusive
For arrays:
in: Fact must be contained in the value list.
notIn. fact must not be included in the value list.
contains. The fact list must contain value.
doesNotContain: The fact list must not contain value.
value: A value. It is also possible to compare the fact with another value from the contract:
"value": {"fact": "ecsCustomBool"}
action: Currently, the only option to select is "permission-add".
data:
description: The short description of the rule.
users: The users to whom the rule is applied can be selected based on these factors:
loginName: The e-mail address of the user.
fact: A contract field where users can be selected.
principalId: The user ID, e.g.: . For example, contract contents can be accessed like this: "${ecsResponsibleId}".
groups: The groups to which the rule is applied can be selected based on these factors:
groupName: Group name
principalId: Group ID from SharePoint Online
roles: The permissions that the groups or users get on this contract:
roleId:
Type: Number
Description: The ID of the roll.
roleName:
Type: Text
Description: The name of the role/permission.
SharePoint role definitions:
Full Control
Design
Edit
Contribute
Read
Limited Access
View Only
Using the permission rule set
If you have adapted the permission rule set, you must apply the rule set to the existing contracts. You have two options for applying the rule set:
Use the Apply rules to a contract button and enter a contract ID to apply the rule set to an existing contract. As long as the system is processing the contract, the Apply rules to a contract button remains disabled.
Use the Apply rules to all elements button to apply the rule set to all existing contracts. This option can place a heavy load on the system. As long as the system is processing the contracts, the Apply rules to all elements button remains disabled.
Example of configuring the permissions
This sample permissions configuration shows you different ways to proceed with permissions.
First, parameters are set that apply to all rules. After that, the rules are processed according to their priority.
Since restrictItemPermissionWhenCreated is set to true, the permissions that users have on the list are not inherited by the contract.
Because of uniquePermissionsEnabled, users are given the option to give read and write permissions to other users when creating and editing a contract in the Permissions section of a contract. These permissions are applied by the 3rd and 4th rule ("priority": 360 and "priority": 350).
The first rule ("priority": 500) gives full rights to the creator and the responsible person.
The last rule ("priority": 600) is used to grant read access to a specific group if the group is selected in the organizational assignment in the master data of a contract. Thus, someone in the "North" group can also get write access if they have been authorized to do so in the Permissions section of a contract.
Example configuration for permissions
{ "restrictItemPermissionWhenCreated": true, "uniquePermissionsEnabled": true, "ruleEngineEnabled": true, "rules": [ { "priority": 500, "condition": { "all": [] }, "action": "permission-add", "data": { "description": "DEFAULT: Give full access to author and responsible persons", "users": [ { "principalId": "${ecsResponsibleId}" }, { "principalId": "${AuthorId}" } ], "groups": [ { "groupName": "ecspand Development" } ], "roles": [ { "roleName": "Full Control" } ] } }, { "priority": 360, "condition": { "all": [] }, "action": "permission-add", "data": { "description": "DEFAULT: Give ecsPermissionRead users read access ", "users": [ { "fact": "ecsPermissionReadId" } ], "roles": [ { "roleName": "Read" } ] } }, { "priority": 350, "condition": { "all": [] }, "action": "permission-add", "data": { "description": "DEFAULT: Give ecsPermissionWrite-Users write access", "users": [ { "fact": "ecsPermissionWriteId" } ], "roles": [ { "roleName": "Edit" } ] } }, { "priority": 450, "condition": { "all": [ { "fact": "ecsCustomBool", "operator": "equal", "value": true } ] }, "action": "permission-add", "data": { "description": "Always give the data security officer access if ecsCustomBool = 1", "users": [ { "loginName": "data-security-officer@azuredvelop.onmicrosoft.com" } ], "roles": [ { "roleName": "Read" } ] } }, { "priority": 600, "condition": { "all": [ { "fact": "ecsContractOrganization", "path": "$.TermGuid", "operator": "equal", "value": "20dad1d8-72ee-4659-8c3b-929d31f2237e" } ] }, "action": "permission-add", "data": { "description": "Give everybody from the 'North' departmend read access, if the ecsContractOrganization equals 'North'", "groups": [ { "groupName": "North" } ], "roles": [ { "roleName": "Read" } ] } } ] }