Good morning, great and powerful VURD 🙂
Can an external class be used as the Identity class for a security attribute configuration?
Here's my use case:
School admins need to be able to assign substitute teachers to fill absences. Principals need to be able to approve those assignments. Both of these user groups need to only see the absences and sub pay objects associated with their individual schools. With 39 schools, it's not practical to have a separate workflow queue or separate OnBase user group per school. The only reliable way to identify each user's job role and location is in our ERP database, so I've pulled that data into two external classes - one for Principals and one for School Admins. Each of these classes contains the user's user ID (which matches their OnBase user ID) and a numeric code for their location.
I also have standard classes for Absences and Sub Pay Requests. The Absence object has a corresponding numeric code for the location where the absence needs to be filled. The Sub Pay class has a relationship attribute to the Absence class. I need to restrict access on both of these classes, so that Principals and School Admins can only see the ones that match the user's location as defined in their respective identity classes.
Here's my configuration in Studio:
I seem to be unable to configure different security attributes with different Identity attributes, which may be part of my problem, but even just the Principals Sub Pay security attribute doesn't work the way I thought it would. What am I doing wrong here?
Thanks in advance!
1 ACCEPTED ANSWER
I did end up working with my FLOS to resolve this. This is how we configured the security attribute and it works beautifully now:
Hi Sydney,
Your setup should work if some conditions are met:
- The field UserID from class Principals should contain usernames, e.g. JOHN.SMITH, not the user numeric id's from OnBase
- You need to have an index column on the Principals class, e.g. there should be a column of type Integer set as Unique. If you don't have a numeric unique identifier in your source data, that's a problem 😞
- Location attribute from Principals and SchoolID attribute from Absences should be of same type
It is also a good idea to set some rights for any value (*), e.g. if the previous conditions are not met:
As you have mentioned, there cannot be multiple Identities. The Identity table should be a single table with a row for each of your users (no duplicates). In your case, you may be able to consolidate Principals and School Admins in one table, e.g. if based on views then do a union.
Also beware that in this type of setup the users will not be able to create new objects, because for a new object SchoolID will be null and thus they cannot edit it, as it does not match their Location.
So, after modifying my AllEmployees class to include the user ID and updating the security attribute configuration to use AllEmployees.UserID as the Identity marker, with no other modifications, I get this error:
No idea what it's talking about. I'm logged in as a test user who definitely exists in the identity class and has a known location value that matches at least one of my test objects.
