Role level variables and role level restrictions have been added to the system, this means that you will now have more flexibility in providing variables and restrictions to users.
previously if 10 users shared the same variable or restriction, they would have to be added to each individual user
now we can create a role with a variable and restriction and if the role is assigned to 10 users, the variable and restriction would apply to all 10 users
Variables:
Global Variables - (existing) such a variable is available to every user
Role Variables - (new) if a role has variables, these variables are available to users if the role is assigned to a user
User Variables - (existing) a variable that is only available to a particular user
Variable Overriding:
Variables are applied in the following order:
User variables can override Role variables
Role variables can override Global variables
To help with understanding, let’s look at the following scenario. The system has been set up with:
a global variable PI_STYLES=default-theme (PI_STYLES represents the theme to be used to display the dashboard)
a role called Marketing, which has a variable PI_STYLES=marketing-theme
a role called Sales, which has a variable PI_STYLES=sales-theme
a user called Bob who, by default, has the PI_STYLES=default theme
These variables will be applied in the following way:
If Sales role is assigned to Bob, Bob will see the PI_STYLES=sales-theme
If the Sales and Marketing roles are both assigned to Bob then the ordering position, seen at the top-right of the Dashboard Configuration>Roles screen, will determine whether the sales-theme or marketing-them is used for Bob
If the Sales role has a lower ordering position than the Marketing role (meaning it’s in the front of the queue), then sales-theme is used
The ordering position also decides the display order of the Roles on the screen. The lower ordering position is in the front. In the following example, the Sales role has the position 1 and Marketing is position 2 which means that the Sales role will appear above the Marketing role
If 2 roles have the same ordering position, then alphabetical order is respected both for display purposes and when role variables have conflicts. In the following screenshot, both roles have the position 1 which means they will appear alphabetically
If Bob has a variable PI_STYLES=bobs-theme, then bobs-theme would be used by Bob regardless if there is a role assigned to Bob
Restrictions:
Role Restrictions - (new) If a role has a restriction, by giving such a role to multiple users can apply the same restriction to these users
User Restrictions - (existing) a restriction applies to a particular user
Restriction Cumulation and Overriding:
User Restrictions and Role Restrictions are applied to users:
when multiple roles are given to a user, with the same restriction, the restriction accumulates
when a user has a restriction, which is the same as a role restriction, the role restriction is ignored
To help understanding, if the system has:
a role called Marketing, which has a restriction: Department = 'Marketing'
a role called Sales, which has restrictions: Department = 'Sales'; Year = 2021
a user called Andy, which has a restriction: Region = 'UK'
Then:
By default, Andy can only see data with Region = 'UK', because such a restriction is always applied to Andy
If the Sales role is assigned to Andy, then Andy can only see data with
Region = 'UK' (from Andy)
and Department = 'Sales' (Andy cannot see data related to Marketing)
and Year = 2021 (from Sales role)
If both the Sales and Marketing roles are assigned to Andy, then Andy can see data with
Region = 'UK'
and Department in ('Sales', 'Marketing') - (this is because Andy has 2 roles, so Andy can see data related to both roles)
and Year = 2021
If the user Andy has a restriction: Department = (‘Sales', 'Dev’), while Sales and Marketing roles are assigned to Andy, then the user restriction is used, and role level restriction of the same topic are ignored (the reason Department restriction from the roles are ignored, is because such implementation allows removing undesirable role restrictions)
Region = 'UK' (from Andy)
and Department in ('Sales', ‘Dev') - (from Andy, and ignore what’s in the roles)
and Year = 2021 (from Sales role)