Controlling Access in Loftware Enterprise SP

A permission is the potential for a user to be able to perform an action. A permission can be granted or denied. Permissions can be granted or denied directly, or they can be inherited.

In Loftware Enterprise SP, permissions are specific to the type of object. For example, instead of a generic Create permission, there is a separate Create permission for each type of object, such as Create permission for Folders, Create permission for Users, Create permission for Documents, and Create permission for Data Services. A user may be granted Create permission for Documents, but denied Create permission for Integrations.

There are two categories of permissions in Loftware Enterprise SP, and to perform an action on an object a user must have both categories of the permission to perform that action. Role-based permissions Permissions that are assigned to a role and inherited by users who are members of a group to which that role is assigned or by users to whom the role is directly assigned. A user must have both a role-based permission and the corresponding object access permission to perform an action on an object. grant or deny a user the potential to perform actions on types of objects. Object access permissions Permissions in Loftware associated with a specific object or with a folder that control what actions can be performed on that object or on objects within that folder. Each object has default permissions that can be overridden by exceptions for a specific group or user. A user must have both a role-based permission and the corresponding object access permission to perform an action on an object. grant or deny a user the potential to perform actions on a particular object or on all objects within a particular folder.

A user can perform an action on an object only if that user has role-based permission to perform the action on that type of object and has object access permission to perform the action on that particular object or on all objects in the folder containing the object. An exception is List permission for Folders, which cannot be explicitly granted as a role-based permission.

Tip: If you have a small organization and do not want to limit access for any users, you can assign all users the LOCAL_ADMIN A Loftware role with most administrator permissions as well as all of the permissions for a DOCUMENT_DESIGNER and a DOCUMENT_PRINTER. By default, all pages are displayed to users with this role. role and grant all object access permissions for all types of objects to the root folder.

Although permissions can sometimes be granted or denied directly, often they are inherited. A user may inherit the role-based permissions and object access permissions of any group in which that user has membership. Objects may inherit the permissions of the folder in which they are contained, and each folder may inherit permissions from the folder in which it is contained.

Note: Any object access permission for the root folder in Loftware Enterprise SP that is configured as Inherited (a clear check box ) is denied.

Additionally, a device inherits object access permissions and role-based permissions from the device group that is its parent. It is recommended that you configure permissions at the level of a device group rather than at the level of a device.

The object access permissions that a user receives for a specific object can be directly assigned to that user, inherited from a group in which the user has membership, inherited from the Default Permissions for the object, or inherited from a folder.

The role-based permissions that a user receives for a type of object can be inherited from a group to which the role was assigned or inherited from a role. These permissions cannot be directly assigned to a user.

When a user attempts to perform an action on an object, Loftware Enterprise SP evaluates the permissions available for that user in order. Loftware Enterprise SP begins by evaluating any object access permissions explicitly configured for the user or any group in which the user has membership. If no explicit value is found for the permission, Loftware Enterprise SP also evaluates the Default Permissions available for all users. If object access permission is granted, then Loftware Enterprise SP evaluates the role-based permission available to the user. If role-based permission for the action is also granted, then the user can perform the action.

The following flowchart describes the order in which Loftware Enterprise SP searches for a permission and the circumstances under which it stops searching for permission.

Object access permissions assigned to a folder are inherited by all objects of the appropriate type within that folder. For ease of maintenance, it is recommended that you assign permissions to folders instead of assigning permissions to individual objects within folders. Also, some object access permissions, such as those for Jobs and User Profiles, can only be configured at the folder level.

Tip: To view the contents of a folder, including its subfolders, you must have List permission granted for the folder. If List permission is denied for a parent folder, then you cannot view the contents of that folder, including any of its subfolders.

Roles are used to define functions or business responsibilities. For example, you may have a role for any user acting as a Designer Person who creates and designs label templates, forms, and applications for use by Data Providers. and another role for a user acting as a Data Provider Person or process that enters data into a form or other data entry view for a label that was configured by a Designer. A user acting as a Data Provider requires the DOCUMENT_PRINTER role or equivalent permissions.. By using a role, you can assign a re-usable and centrally-configurable collection of permissions to users and groups.

A user must have a role to be able to perform actions in Loftware Enterprise SP. Although it is possible to assign a role directly to a user, it is recommended that you assign roles to groups and then assign users to each group (or assign groups to each user). Each user inherits the role-based permissions of any group in which the user is a member.

Tip: If you have a small organization and do not want to limit access for any users, you can assign all users the LOCAL_ADMIN A Loftware role with most administrator permissions as well as all of the permissions for a DOCUMENT_DESIGNER and a DOCUMENT_PRINTER. By default, all pages are displayed to users with this role. role and grant all object access permissions for all types of objects to the root folder.

For a group, the Roles dialog box The role(s) assigned to the user or group. To display, in the ribbon click Home > Role. For a user, roles inherited from a group membership are not displayed. displays each role assigned to the group and the Users dialog box The user(s) assigned to the group or role. To display, in the ribbon click Home > User. displays users who are members of that group and therefore inherit those roles. However, for a user the Groups dialog box The group(s) assigned to the user or role. To display, in the ribbon click Home > Group. displays the group in which the user has membership, but the Roles dialog box does not display roles that are assigned to the user due to group membership. The Roles dialog box for the user displays only roles that are directly assigned to the user, not those that are inherited.

When you create a folder within a folder and configure an object access permission of the child folder as inherited, the child folder inherits that permission from the parent folder. However, the Default Permissions panel of the child folder indicates only that the permission is Inherited , not what the inherited value of the permission is.

Note: Any object access permission for the root folder in Loftware Enterprise SP that is configured as Inherited is denied.