Custom Permissions on Models

If you require more flexibility, you can implement a custom permission policy. Each role can have its own permission policy or you can share an implementation across several roles. One common example involves hierarchical data structures such as corporate organization charts. A corporate division may want to create a role for division personnel to report against subordinate sites, which may themselves have subordinate reporting organizations. In these cases, it's appropriate for the division level personnel to see information relevant to its subordinate organizations all the way down the org chart, but not be able to see other division's data. In these cases, you can create a custom permissions policy class in Java.


Procedure 4.3. To use a custom permissions policy

  1. Create a class that implements the interface com.onenetwork.platform.data.model.CustomModelPermissionPolicy.

  2. Click the custom permissions policy checkbox.

  3. Enter the fully-qualified class name.

    Figure 4.2. Custom Permissions Policy is set by selecting the checkbox and typing the full class name of the permissions policy class you created.

    You must still give the role permission at the action, issue, and view level if applicable.

The CustomModelPermissionPolicy interface implemented has three methods. ThegetReportPermissionQueryContribution and getViewPermissionQueryContribution methods are used for read operations, while applyCustomWritePermissions is used for write operations.

Here is an example of creating a custom permissions class. This particular example implements only View permissions, but more often you would implement all 3 methods.

public class MyPolicy implements CustomModelPermissionPolicy {
	@Override
	public void applyCustomWritePermissions(ActionPermissionRequest req) {
	}

	@Override
	public PermissionQueryContribution getReportPermissionQueryContribution(ReportPermissionRequest req) {
		return null;
	}

	@Override
	public PermissionQueryContribution getViewPermissionQueryContribution(ViewPermissionRequest req) {
	if (req.getPlatformUserContext().getRoleTypeName().equals("PCTA.SampleRoleType")) {
		PermissionQueryContribution contrib = new PermissionQueryContribution("STR_FIELD != 'NOT_ALLOWED' and $MY_ENT_NAME$ = 'SampleEnterprise' and $MY_VC_ID$ = 9655");
		return contrib;
		}
    	return null;
	}
}