Configure Jazz Model ACLs
This page explains how to use configure and assign predefined Access Rules to a class of Jazz record.
Here is an example of a Task and how Access Rules can be defined for the task when it is created.
Define the Access Rules Task Example
1. Define how all users interact with tasks.
- All Authenticated users can read the tasks.
- All Unauthenticated users (guests) are denied access to tasks.
2. Define who gets to edit the task.
- The owner of the task is the person who creates it. The owner is allowed to edit the task.
These three statements for Access Rules can be achieved in Figure 1.
Define the Access Rules for more Users
Workflows are used by people to manage all kinds of work. Often, users are included in the workflow. e.g. for a Task, there may be a Project Manager, worker and supervisor - all that need to edit the task.
Figure 2 shows two additional Access Rules:
- Allow Jane to edit the record.
- Allow the User added to the Property 'ContactId' to edit the record.
Define the Access Rules Using Roles Example
The Task example provides edit access only to the owner of the task. How do you provide additional users edit access?
From a configuration perspective, the simplest approach is to define a group that has access, e.g. the supervisors who manage the day-to-day operations. Figure 3 shows Roles added to the Access Rules.
- All users with the Supervisor role are allowed to edit all tasks.
- All users with the Accounting role are denied access to all tasks.
- All users with the Management role are provided Read-Only access to all tasks.
Hints about Assigning Access Rules
There are two basic approaches to assigning Access Rules.
1. Restrict access to a Jazz record.
2. Be open and flexible in providing access to a Jazz Record.
Restrict access to a Jazz Record
This approach takes the following course:
- Create a Default Access Rule that restricts all users.
- Add User and/or Role-based Access Rules for the users and/or roles that are allowed Full and/or Read-Only access.
This approach may lead to "I cannot see the record" from your users. The solution to this issue may be:
- Tell this user that they are denied access to the record.
- Add another Access Rule for this user to provide the correct access to the record.
- Add a Role to this user that provides the correct access to the record.
Restrictive Access Rules is the approach taken in the example above:
- Deny access to non-authenticated users.
- Provide Read-Only access to authenticated users.
- Add Access Roles for specific users and/or roles.
Open and Flexible access to a Jazz Record¶
The approach takes the following course:
- Create a Default Access Rule that is open and allows users to see all Jazz Records.
- Add Role-based Access Rules for roles that are allowed Full access.
This approach may lead to allowing users to see information that either they should not see or is a distraction. Today's work environment tends to provide open access to information. In most cases this is the best approach. However, there are some classes of information, e.g. Personnel Records and Pay where restrictive access is warranted.
Access Rules for Properties
In Figure 3, there is a column labelled 'Members'. This refers to properties or fields that are in the Jazz Record. By adding a semi-colon list of properties, the Access Rule now is tailored to just those members.
e.g. Add 'DueDate;AssignedTo' to the 'Supervisor' Role Access Rule.
- Without the Members, the Access Rule reads 'Allow Users with the Supervisor' Role Full access to the Jazz Record.
- With these Members, the Access Rule reads 'Allow Users with the Supervior' Role Full access to the 'DueDate' and 'AssignedTo' properties of the Jazz Record. (Based on other Access Rules in the example, these users are authenticated and get Read-Only access.)