08-18-2022 06:59 AM
Good morning, great and powerful VURD 🙂
Can an external class be used as the Identity class for a security attribute configuration?
Here's my use case:
School admins need to be able to assign substitute teachers to fill absences. Principals need to be able to approve those assignments. Both of these user groups need to only see the absences and sub pay objects associated with their individual schools. With 39 schools, it's not practical to have a separate workflow queue or separate OnBase user group per school. The only reliable way to identify each user's job role and location is in our ERP database, so I've pulled that data into two external classes - one for Principals and one for School Admins. Each of these classes contains the user's user ID (which matches their OnBase user ID) and a numeric code for their location.
I also have standard classes for Absences and Sub Pay Requests. The Absence object has a corresponding numeric code for the location where the absence needs to be filled. The Sub Pay class has a relationship attribute to the Absence class. I need to restrict access on both of these classes, so that Principals and School Admins can only see the ones that match the user's location as defined in their respective identity classes.
Here's my configuration in Studio:
I seem to be unable to configure different security attributes with different Identity attributes, which may be part of my problem, but even just the Principals Sub Pay security attribute doesn't work the way I thought it would. What am I doing wrong here?
Thanks in advance!
09-28-2022 12:55 PM
I did end up working with my FLOS to resolve this. This is how we configured the security attribute and it works beautifully now:
08-18-2022 09:35 AM
Hi Sydney,
Your setup should work if some conditions are met:
It is also a good idea to set some rights for any value (*), e.g. if the previous conditions are not met:
As you have mentioned, there cannot be multiple Identities. The Identity table should be a single table with a row for each of your users (no duplicates). In your case, you may be able to consolidate Principals and School Admins in one table, e.g. if based on views then do a union.
Also beware that in this type of setup the users will not be able to create new objects, because for a new object SchoolID will be null and thus they cannot edit it, as it does not match their Location.
08-18-2022 10:33 AM
I suspect you might be able to use a Trigger to do a Filter lookup against the Location Class and populate the Location ID of the currently active user. Something like that.
08-18-2022 11:00 AM
I'm using an ad hoc task for creating new absence records manually (most of them are imported from the absence management LOB app and created automatically) so I can set the location attribute for the new absence object to the user's location that way.
08-18-2022 11:45 AM
So, after modifying my AllEmployees class to include the user ID and updating the security attribute configuration to use AllEmployees.UserID as the Identity marker, with no other modifications, I get this error:
No idea what it's talking about. I'm logged in as a test user who definitely exists in the identity class and has a known location value that matches at least one of my test objects.
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.