Say I wanted to give a tag write permissions more complex than I can give with just roles, for example (pseudo-code):
({Authenticated/Roles/Operator} and {Authenticated/Roles/Area_WWTP}) or {Authenticated/Roles/Master}
I assume that I would need to create a custom security level for each of these more complex examples and then configure a Security Level Rule for these in the idp.
The User Manual doesn't mention anything about being able to use logical operators, but can I use something like:
containsAll({user:roles}, 'Operator', 'Area_WWTP')
||
containsAll({user:roles}, 'Master')
?
1 Like
This does appear to work 
However, for example, say I had multiple areas (WWTP/Refrigeration/Line1/etc.)and multiple basic privileges (Supervisor/Operator/Engineer/Maintenance/etc). What if I wanted a particular user to be a Supervisor in WWTP but only have Operator level in Line1?
I think I would then need multiple area roles, like WWTP_Operator, WWTP_Supervisor, Refrigeration_Operator, Refrigeration_Supervisor, etc. and I wouldn't then need custom roles defined, unless I'm missing something?
We have multiple roles which I think is similar to your multiple area roles. We use Azure AD where all of the roles are defined (in App Registration). The security groups are defined in the Azure AD Enterprise Application screen and each group has 1 role associated with it. There is a 1 to 1 mapping of a group to a role.
Project1_Operator
Project1_Maintenance
Project1_ViewOnly
Project2_Operator
Project2_Maintenance
Project2_ViewOnly
Area1_Operator
Area1_Maintenance
Area1_ViewOnly
etc.
1 Like