AnsweredAssumed Answered

What's a good practice to manage near-equal rights using (extended?) privilege sets?

Question asked by wimmmmm on Dec 31, 2018
Latest reply on Jan 2, 2019 by wimmmmm

The Fleet Tool is a sort of extranet, where each of our customers can see (only) their orders, and approve a detail on it.

To control access, I have these privilege sets:

  • [Full Access]
  • Client: the internal client users, with rights to all data
  • Fleet Tool Manager: limited access to a set of layouts via WebDirect, to support a flow at the customer side. This person can approve an order.
  • Fleet Tool Assistant: almost same access as the Fleet Tool Manager, except this person can only prepare an order, not approve

In Fleet Tool Manager & Assistent, I've limited access to order & linked records based on an expression
$$CustomerID = Order::CustomerID

The reason for the two privilege sets, is to distinguish the assistants from the managers when showing buttons on an Order detail layout: Manager can approve, Assistant cannot approve.

 

Now my question: while I'm enhancing the Fleet Tool solution, I'm adding tables, records, etc, and with the current approach I need to keep the 2 privileges exactly the same. That's cumbersome, and not how I perceive a security system.

What I want to do is:

  • define a single set of access rules to the Fleet Tool (Privilege)
  • have 2 variants, so I can distinguish the Manager from the Assistant

However, with Extended Privileges I cannot re-use the single Privilege set, since I'm linking an extended priv set to a priv set, not to a user.

 

What's a clean way to do this with one Privilege Set?

Outcomes