en Admin UI - Authorization (comments)

Under the item "Authorizations" in the backend admin UI, you can define which users, user roles and user groups are authorized to comment on a context combination. These settings are only available to users with the Admin role.

Initial configuration

When graphomate comments is shipped, three user roles are automatically created: "admin", "editor" and "viewer".
The corresponding rules are already predefined in the "Authorizations" section. The first rule prohibits all users from interacting with the comments, so the following rules represent a so-called whitelist.

The second rule defines that users with the role "admin" or "editor" are allowed to see, create, edit and delete all comments.

The last rule defined is that users with the role "viewer" are only allowed to see all comments.

Of course, you can adapt these configurations as you wish for your scenarios.

Add authorization

A new authorization can be added by clicking on the + ADD button in the menu bar above the list of existing authorizations. It should be mentioned in advance that if no options are selected for a property of the authorization, the authorization applies to all characteristics of this sub-setting.
A special case here is the setting of users, user roles and user groups. Only if all three are left blank does the rule apply to all users.

An authorization consists of several sub-settings that can be configured when adding a new authorization and when editing an existing one. When creating an authorization, several items can be selected individually by selecting their checkboxes or collectively by selecting the upper checkbox next to the title. Clicking on the arrows will either assign them to the authorization (they will appear on the right hand side) or deselect them (they will appear on the left hand side). In the edit view of an existing authorisation, selected sub-permissions can be removed by clicking on the in the right-hand margin, and new ones can be added using the drop-down box. In both cases, a search is available.

Authorization properties

Name

The freely definable name of the authorization is used, for example, to summarise the functionality.

Type

The selection between "Allow" and "Deny" defines whether this authorization rule allows or prohibits the selected actions for a context combination. This allows rules to be defined by combination according to the scheme "everything except" and "exclusively for".

Actions

The actions that can be performed in relation to comments are divided into four rights:

  1. “view”: Existing comments can be read by authorised users.

  2. “create”: Allows users to create new comments.

  3. “edit”: Comments that already exist can be edited.

  4. “delete”: Comments are allowed to be deleted.

If no actions are selected, this release applies to all actions. The difference to selecting all actions is that without a selection, actions that could be added in later versions are also directly released.

Contexts

This area defines for which context combination the authorisation is to be applied. The representation begins with an "env" for EnvironmentContext or a "dat" for DataContext. This is followed by the key of the context before the "=" and the value after it.

Contexts that are selected here also apply in principle to more specific context combinations. This means that as soon as a comment contains at least the selected contexts, the rule applies. For example, if a user is authorized for the context combination "Region=Central" and "Country=Germany", he or she can access comments for the context combination Central+Germany and "Year=2021". However, access is not allowed for a comment that applies, for example, to Central+Austria.

If no contexts are selected, the rule applies to all comments.

Wildcard Contexts

The so-called "wildcard contexts" are a special case. These make it possible to create an authorization that applies to all context values based on the key and regardless of the value or vice versa. To do this, a corresponding context must first be created in the "Contexts" menu item, which then lacks the value for key or value. This can then be used in authorization.

Users

Individual users for whom authorization applies can be selected here.

If no user, user role or user group is selected, this rule applies to all users.

Roles

Authorization can be assigned here to all users in one or more user roles.

Groups

Just like the "Roles", entire user groups can be selected here.

Order

In the column "Order" on the overview page of the authorizations, the order of the rules can be changed by clicking on the arrows. The rules are processed sequentially, starting with the lowest index. This means that if, as in the initial configuration, a prohibition is initially defined for everything, this prohibition can be weakened again by individual rules with a higher index. The initial configuration written in textual form thus reads:

Initially, prohibit all users from interacting with comments. However, allow "view", "create", "edit" and "delete" for users with the role "admin" or "editor". In the last step, allow viewing of comments for users with the role "viewer" to view any comments.

Another hypothetical example: If at the end of the list of authorizations with the highest order there was a rule that prohibited everything, all previous authorizations would have no effect.