How Can We Help?

Advanced Groups Configuration

 
Once we have inserted the users into our system, we can create groups to organize our working teams and the end user groups.

The use of groups, in fact, allows you to:

  • Assign workin teams to records: the team that has taken in charge a request or the team that has to manage a device of the CMDB.
  • Permissions to create/read/update/delete a record: Deepser allows you to differentiate permissions of the user groups inside the modules they can access.

 

 
The basic configuration of groups has already been described in this guide: Groups Configuration.
In this chapter we will describe the advanced groups configuration to set group permissions.

 



 

Give permissions to groups

We can define group permissions from the menu System > Permissions > Groups and then modifying the Rules in the tab “Rules”.

 

Permissions in Deepser are given for every single module and entity.
In this way, for every entity of the system, an Administrator can configure with the maximum granularity all the creation / read / edit / delete permissions for every user of the system.
The rules to define permissions are:

  • Create: if a user can create a record of a certain entity. Usually, conditions for this field are true or false.
  • Read: it tells if a user can see the details of the record of a certain entity. Usually, we define custom expressions to filter visibility of some record types. For example, we can define that users belonging to a group can see Service Operations, but only of a specific Service Type. Or we can define a user group can see the Service Operations assigned to the users of that group.
  • Update: it tells if a user can modify the details of the record of a certain entity. Usually, we define custom expressions to filter the edit permission of some record types. For example, we can define that users belonging to a group can edit Service Operations, but only of a specific Service Type. Or we can define a user group can edit the Service Operations assigned to the users of that group.
  • Delete: it tells if a user can delete (physical delete) records for a specific entity. Usually, we define custom expressions to filter the delete permission of some record types. For example, we can define that users belonging to a group can delete Service Operations, but only of a specific Service Type. Or we can define a user group can delete the Service Operations assigned to the users of that group.
  • Grid: it tells if a user can view (in the grids) records for a specific entity. Usually, we define custom expressions to filter the grid view permission of some record types. For example, we can define that users belonging to a group can view Service Operations, but only of a specific Service Type. Or we can define a user group can view the Service Operations assigned to the users of that group.
    This permissions allows us to filter the records before the queries used by the grids, so we can separate the visibility for every working teams.

To define the rules we have to follow some specifications. Let’s see that with an example.

 



 

Examples of Rules for the Groups

To give an example, consider a team that will:

  • Always create Service Operations;
  • Read only the details of Service Operations sent by a specific user group;
  • Edit only Service Operations assigned to the team members (Assigned Group);
  • Delete only Service Operations assigned to the current user (Assigned To);
  • View in the grids only Service Operations assigned to the team members (Assigned Group).

Talking about creation, we define a Rule (of type Create), and in the Model field we choose DeepService – Operation, in the Expression field we write this PHP code:
[php]
return true;
[/php]
That is enough to configure this rule:

 

Talking about the read permission, we define a Rule of type Read, in the field Model we choose DeepService – Operation and in the field expression we write the following PHP code:
[php]
$requester = $model->getRequesterUser();
if ($requester && $requester->isInGroup(‘Customers’))
return true;

return false;
[/php]
We can easily configure the rule with high flexibility using only 4 rows of PHP code. In details, the object $model allows us to get all the information we need to define our rule.

 
Talking about editing an entity, define a Rule of kind Update, in the field Model choose DeepService – Operation and in the field Expression write the following PHP code:
[php]
$assignedGroup = $model->getAssignedGroupId();
$currentUser = Deep::helper(‘deep_admin’)->getCurrentUser();

if ($assignedGroup && $currentUser->isInGroup((int)$assignedGroup))
return true;

return false;
[/php]
The variable $currentUser allows us to get all the information of the user logged in the system.

 
Talking about th record deletion, we can define a Rule of type Delete, in the field Model choose DeepService – Operation and in the Expression field write the following PHP code:
[php]
$assignedUsername = $model->getAssignedUsername();
$currentUser = Deep::helper(‘deep_admin’)->getCurrentUser();

if ($assignedUsername && $assignedUsername == $currentUser->getUsername())
return true;

return false;
[/php]

 

For the grids, define a Rule of kind Grid, and in the field Model choose DeepService – Operation. In the field Expression write the following PHP code:
[php]
$currentUser = Deep::helper(‘deep_admin’)->getCurrentUser();

$this->getCollection()->addFieldToFilter(
‘assigned_group_id’, [‘in’ => $currentUser->getGroupIds()]
);
[/php]

In questo caso stiamo facendo uso delle Collection, ovvero degli oggetti principali utilizzati da Deepser quando ci riferiamo alle griglie. Per una descrizione dettagliata di cos’è possibile fare con le Collection, si rimanda alla guida sulla configurazione delle griglie di Deepser.

 



 

Use Cases

We have seen how with simple PHP expression we can configure group permissions in Deepser. It is easy and fast, but very flexible, to configure the rules.
The use of those expressions lets us set permissions starting from the value of every field of every entity of the system to implement every business logic to cover the needs of any company.
There are many other uses of groups that we can set wothout using PHP code.
We can find groups inside modules to define the assignment group of a Service Operation:

 

Or the group that can access the Calendar:

 

 
Generally, we find groups in a lot of entities in Deepser. For that, the group configuration must be one of the first setting of our system, starting from an accurate analysis of our service and our working teams.

Previous Company Configuration
Next LDAP Configuration
Table of Contents