Sharing and access rights
Access rights model
This section explains how the access rights model in Apromore works.
Types of access rights
The Apromore portal allows users to navigate through a hierarchical file system consisting of folders and two types of files: event logs and process models. Every file (event log or model) is located in a folder. A folder may contain one or more sub-folders and files. The top folder is called Home. Every user has a Home folder.
The ability for a user to perform operations on a file (e.g., to create or edit a process model) is determined by the Access Control List (ACL) of the file and the enclosing folder. An ACL indicates which users or groups have been granted access rights over a folder or file.
The types of access rights that may be granted to a user or a group are:
Owner: An owner of a folder can add subfolders or files to the folder or delete subfolders or files. An owner of a folder or file can rename the file/folder and modify the ACL of the folder or file. An owner of a file can view, and edit the file (i.e., edit a process model, create or edit dashboards, filters, or KPIs within a log).
Editor: An editor of a file can edit the file (edit a process model, create or edit dashboards or filters within a log). An editor of a folder can open the folder and can only see the subfolders and files for which they have been granted owner, editor or viewer access rights.
Viewer: A viewer of a file can open the process model or open the log and use the dashboards, filters, and KPIs attached to the log, but they cannot edit the file (e.g., add or modify dashboards). The viewer of a folder can open the folder and can only see the subfolders and files for which they have been granted owner, editor or viewer access rights.
A user (or group) can also be a Restricted Viewer of an event log. A Restricted Viewer has the same privileges as a Viewer, except that a restricted viewer may only be able to use a subset of the dashboards associated with the log (not necessarily all), as determined by an Owner.
Note
A user with Superuser rights may modify the access control list of any folder of file in the tenancy by using the “Manage Access Rights” console in the Portal.
Hierarchical ownership principle
Every owner of a folder F is also owner of all the items directly or transitively contained inside folder F. If a user or group is owner of a folder F, they are also owners of:
Every subfolder of F and every transitive subfolder of F.
Every file contained in F and every file contained in any direct or transitive subfolder of F.
This principle ensures that if a user or group is owner of a folder they can:
View and open any subfolder or file under this folder (directly or transitively).
Rename or edit any subfolder or file under this folder (directly or transitively).
Alter the access rights of any folder or file under this folder (directly or transitively).
In other words, an owner of a folder has full visibility and control over the contents of this folder.
To enforce the Hierarchical Ownership principle, Apromore enforces the following behaviors:
When a user or a group is granted Ownership of a folder F, this user or group is automatically granted Ownership of all the files or folders contained in F (directly or transitively).
When a subfolder or file is added to folder F, the access rights of F are propagated to this new file or folder. The owner of folder F can then adjust these access rights as they see fit.
When a subfolder or file is moved into folder F, the access rights of F are propagated to this new filer or folder. The owner of folder F can then adjust these access rights as they see fit. The previous access rights of the moved folder are overridden, since the file or folder is now located under a different ownership domain, with different access control lists.
Note
A user may only copy a file or folder into a new folder F if they are an Owner of folder F. In the case of a Move operation, the user must also be an Owner of the source folder.
With Reference to the figure below, if a user is granted Owner access rights on Subfolder 1, they are automatically also granted access rights on Subfolder 3, Subfolder 4, File 1, File 2, File 3, File 4, and File 10.
Right of traversal principle
If a user or group has access to a file or folder, be it as an Owner, Editor or Viewer, this user or group expects to be able to traverse the file hierarchy in order to access this file or folder.
Accordingly, when a user or group is added to the access control list of a folder or file located under a folder F, Apromore checks if this user is able to access folder F. If the user is not able to access folder F, Apromore will automatically grant Viewer rights to folder F, and if required to the parent folder of folder F, and so on, as required so that the user or group can access folder F in order to be able to see and use the file or folder to which they were granted access.
With Reference to Figure 1, if User1 is granted Editor access rights on File 1, then User1 is automatically granted Viewer access rights on Subfolder 3 and Subfolder 1 (unless User1 was already in the access control list of Subfolder 3 or Subfolder 1).
Note
Once a user is granted Viewer access rights to a hierarchy of folder, as a consequence of the Right of Traversal policy, any subsequent file or folder added to such folders will be visible to that user.
Co-ownership and “at least one owner” principle
An owner of a file or folder F may grant Owner right over F to other users or groups, while retaining their Owner right over F. In this way, a file or folder may have multiple co-owners.
An owner of a file or folder F may also revoke the access rights of other owners of F, or they may downgrade the access rights of another user from Owner to Editor or Viewer.
An owner of a file or folder F may revoke their own Owner right over F (or downgrade it). However, Apromore enforces the principle that every file and folder must have at least one owner at all times.
When a user is deleted by a superuser, the superuser is given the option between either deleting or transferring ownership of all files and folders of the deleted user, in such a way that no files or folders remain ownerless.
Properties of the home folder
The Home folder is different for every user. When a new user account is created, their Home folder is empty, unless the user is a member of a group and this group is in the access control list of a file or folder located in the Home folder.
When a user creates a folder or creates or uploads a file in their Home folder, they become the sole Owner of this file or folder. They can then share this file or folder with other users or groups.
When a user copies a file or folder into their Home folder, they become the sole Owner of this file or folder. The user may then grant access rights to other users or groups as they see fit.
Share an event log
To share an event log, select the log from the workspace and click on the button.
Alternatively, we can also select the log and right-click. Click Share.
File Sharing window pops up. This window consists of two sections: List of Users and Associated artifacts.
Note
To share all the artifacts (filters/dashboards) associated with a log, set the Viewer (full) permission to the user. To share only specific artifacts(filters/dashboards) associated with a log, set the Viewer (restricted) permission to the user and tick the boxes next to the artifacts to be shared.
Type the name of the user we wish to share to. Click Share.
The selected user appears in the users’ list.
We can see the list of associated artifacts automatically shared with a user in the Associated Artifacts section.
Note
Only an owner or editor can edit/rename/delete the associated artifacts. If a user is assigned viewer permissions to access a particular log/model – they will only see it in view-mode. The functions like export, save/save as, share will be disabled.
To change the access rights for a particular user, click on the Permission drop-down list and select the desired permissions.
Finally, click Apply to share the file.
To revoke access for a particular user, click the button.
Click Apply to save the changes.
Share a process model
To share a process model, select it from the workspace and click on the button.
Enter the user or group with whom we want to share the model using the Type in a user or group name textbox. Click Share.
The selected user appears in the users’ list.
To change the access rights for a particular user, click on the Permission drop-down list and select the desired permissions.
Click Apply.
To revoke access for a particular user, click the button.
Click Apply to save the changes.
Share a folder
To share a folder, select the folder from the workspace and click on the button.
Alternatively, we can right-click a folder and click Share.
Enter a user or group with whom we want to share the folder using the Type in a user or group name textbox. Click Share.
The selected user appears in the users’ list.
To change the access rights for a particular user, click on the Permission drop-down list and select the desired permissions.
Finally, click Apply.
To revoke access for a particular user, click the button.
Click Apply to save the changes.
Manage access rights
Access Rights Management functionality provides the administrators with a comprehensive view of all the files and folders along with the users and their access rights. The administrator can easily browse through the permissions of the files/folders.
Note
Only a user with Administrator or Superuser rights can access the Access Rights Management functionality.
To share files/folders, click the button.
After the Access rights management window opens, select the file/folder to be shared and enter the username you intend to share the file/folder with in the Type in a user or group name textbox.
Click Share to share the file/folder.
The user now appears in the users list.
To change the access rights for a particular user, click on the Permission drop-down list and select the desired permissions.
Click Apply.
To revoke access for a particular user, click on the button.
Click Apply to save the changes.
As admin and superusers, we can manage the access rights of the folders and files in our tenancy. To manage access rights, open the “Access rights management” window (this requires administration privileges). Go to the Users tab. This displays a list of users and groups in the tenancy.
When we click on a user, Apromore displays the files or folders the user has access to, the date of creation, and the permission the user holds.
As an admin or superuser, we can change the permission. Click the Permission dropdown to select another permission. Let us say we want the user to edit the claims management log. Select “Editor” from the Permission drop down.
Click Apply to save this change.
The user can now edit the log from their Apromore Workspace. In addition, as an admin/superuser, we can revoke a user’s access to a file or folder. Click the bin button.
Click Apply. This revokes the user’s access to the file/folder, and they will no longer appear in the user’s workspace.
Note
A file/folder must have at least one owner. When we attempt to revoke access from a user who is the sole owner of the file/folder, an error message is displayed indicating that we cannot remove the only owner of a file/folder.