This post will expand a bit on the last post regarding Roles in Dodeca.
Can a user have multiple Roles?
Yes, a user can be assigned to multiple roles. Simply use the drop down in the User Manager to check all or any roles that are applicable.
If the HierarchyToRole mapping is defined, what hierarchy is used if a user is not assigned to a role?
In the last post we saw how the user’s role determined the hierarchy that they are assigned in the application, but what if a user attempts to open the application without being assigned a role?
First thing to consider is the HierarchyID property. In the example in the previous post, this property was empty. But a HierarchyID could be defined here, for example Standard, and in that case, the it would be the Standard hierarchy that would be presented to the user.
If there is no HierarchyID defined, then there are more Application property settings to consider for this situation.
From the last post, we updated the AuthenticationServiceObjectTypeID property to DodecaUserRoles, and we also set the HierarchyToRoleMapping property for our two roles: PLANNER and REVIEWER.
There is another Application property to consider under the Security section. It is called AllowStartupForUserAssignedNoRoles. The default for this property is set to True.
This indicates that a user can still start the application even if they do not have a role assigned. But since the hierarchies are only available to users with roles, and the HierarchyID property is blank, then a user with no roles will not see any hierarchy, as below.
Please note: the application has a DefaultViewId which is set to the view called Dashboard. That view will open every time the application is started regardless of any role assigned.
A better option may be to update the AllowStartupForUserAssignedNoRoles property. We can set this to False. We can then also update two other properties to provide relevant information to the user:
MessageCaptionForUserAssignedNoRoles – Set to “No Role Assigned”
MessageTextForUserAssignedNoRoles – Set to “You must have a Role assigned to start this application. Please see your Administrator for more information.”
Now when a user attempts to open this application it will not start, and they will be presented with the following message:
Could there be separate Planner and Reviewer Applications, with User/Roles assigned to each?
Yes, if you would rather have totally separate Applications for Planners and Reviewers you could create them in the Application metadata editor and assign specific hierarchies to each. In this case, you can specify role for startup using the RolesRequiredForStartup property.
We can create a Planner application, and you can assign one Hierarchy (Plan) for all instances of the application with the Default HierarchyID:
Restrict Views and Categories within One Hierarchy using Roles
You and also use Roles to control specific Views and Categories within one defined Hierarchy. In this case all users are using the same Hierarchy, but some Views or Categories of Views could be assigned for specific roles. This is handled in the View Hierarchies metadata editor:
For a specific View or Category, you can set the AccessFilter property:
The options are:
- None (the default)
- AnyRole – any user with any role
- AnySpecificRole – Users with a specific role, or a specific user
- AllSpecificRoles – Users with all the roles
Once the FilterAccess property is set, for example set to AnySpecifcRole, you can then set the AccessFilter_SpecificRoles property. When you click on the ellipsis at the far right of this property, Dodeca will first check if there is more than one Smartclient application using roles, and if there is more than one, you will be asked to select which Application this will apply to. In our example, we have a USER application, and a PLANNER application, so we are presented with the following:
In this case, I choose USER, and then I get the following dialogue to select the roles or specific users:
I can make multiple selections, one per line:
Testing specific Users
Dodeca makes it easy to test specific users and their roles. See the Application property in the Security section: AllowUserArgument.
We can set this to true and then pass a User argument within the ClickOnce URL. For testing the users in the USER application example I am using the following URLs to start the Dodeca application:
You can see that in these URLs, the tenant (t=….) is OUTLOOK, the application (a=…) is USER and the user arguments (u=…) are dwyera and knopel respectively, for our two test users – Andy Dwyer and Leslie Knope. This is how they appear in the User Manager:
As you can see, there is much power flexibility within Dodeca to use Roles to define the exact application for your specific needs. Users can be assigned the proper roles, Applications can be tailored, and even access to specific Views can be managed the way you want them.
This power and flexibility is why we call Dodeca the Finance Accelerator!