024: Recycling-Heroes - Restriction Types (Contact)

Introduction

Last time, we implemented various permission checks in our application to restrict data and actions. Finally, we assigned the object via the IAM app to obtain and work with the permissions. Currently, the values are hard-coded and we cannot adjust them in the roles. Therefore, in this episode, we will look at Restriction Types and how we can use them to dynamically control permissions.

Objects

As a first step, we create new objects, starting with a Restriction Field. We can begin creating them via the context menu and find the appropriate type among the objects. We can name the field exactly the same as our Authorization Field and add a descriptive name. Once the object is created, we need to assign our Authorization Field, as we will maintain this later in the permissions settings. We can obtain the field via the Content Assist. Finally, we can check the available values using the "Search Help" button. If we activate the checkbox, we could also maintain ranges. However, since we only have three values, this isn't necessary.

After saving, we can then create a new Restriction Type. We can do this directly via the link at the bottom, as this starts the wizard and also assigns the field to the new object at the end. Let's now assign a name and a description and create the new object. The field is already assigned here, so we can now assign our authorization object. This establishes the connection to maintenance. Finally, don't forget to publish the object using "Publish Locally".

Assignment

To use the new Restriction Type, we need to assign it to our Business Catalog. First, we search for the type and add it to the position. Then, we activate the three checkboxes to use the Restriction Type for these methods. Finally, we save and publish the catalog.

Finally, we adjust the permissions in the IAM app and remove the contact type, as we want to manage this via the role. We leave the various activities as they are for now. Basically, the different activities are assigned to actions like Write or Read and are then enabled or disabled via the various restrictions. Here, you should also remember to publish the updated permissions to Launchpad.

Restricted Permissions

After all objects have been enabled, saved, and published, we go to Launchpad and open the "Maintain Business Roles" application. There, we access the ZRH_ADMIN role and enter maintenance mode via "Edit". We can start maintaining individual permissions using the "Maintain Restrictions" button. Currently, the permissions are set to Unrestricted, which applies to all permissions. Therefore, we set Write and Read to Restricted, thus activating the maintenance of these objects. We can now maintain the contact type for which we want to grant permissions. For testing purposes, we set Write and Read for Employee and only Read for Address. Finally, we save the role so that the new permissions are applied.

Returning to the Launchpad and our area, we see four data entries already displayed on the tile, and we open the application. There we now see employees and addresses for which we now have permissions. If we go to an employee's record, we can still edit it, but deletion is not possible because we don't have the necessary permissions via the IAM app. If we now access an address, we cannot edit it, and creating a new address also doesn't work.

All Permissions

Now let's go back to managing the role and set the values to "Unrestricted", save the role, and go back to the application. There, we can again see and edit all types of contacts. To obtain all permissions as an administrator, we adjust the permissions in the IAM app and also activate the checkbox for "Delete". Then we publish the new permissions to the Launchpad. Now we can check whether we can delete the data records again. All actions are now available again on the Object Page, and we therefore have all the permissions we need as an administrator.

Summary

We can now restrict permissions to the data via the role to offer our users only the relevant data. Likewise, only authorized employees can edit the data, and apart from the administrator, no one can delete the data records from the system.

That brings us to the end of the episode. Thanks for watching and see you next time.

YouTube
Video