Attached form permissions & security
This document describes the security configurations and permissions related to the use of forms in processes in beqom Web Application.
Permissions Related to the Use of Forms
In the context of forms in the beqom application, there are two different concepts:
Form building: this task is usually performed by the system administrator, in the (Undefined variable: CompoVariables_WA.Forms) of the beqom Web Application. It consists in defining the properties of the form, including its blocks, as well as assigning it to a process.
Form consumption: this is the end-user aspect of the use of forms in the beqom application. Forms are consumed in process grids, in the (Undefined variable: CompoVariables_WA.Process) of the beqom Web Application.
In both cases, specific permissions are required to grant proper access to the relevant users.
Granting Access to the (Undefined variable: CompoVariables_WA.Forms)
To grant a profile access to the (Undefined variable: CompoVariables_WA.Forms) of the beqom Web Application and define specific permissions, proceed as follows:
- Open the beqom Admin Portal application.
- Navigate to ADMIN > Functional Admin > Profiles. A grid containing all the profiles currently defined in the system is displayed.
- Select the profile that you want to configure by clicking the corresponding row in the grid. A secondary panel is opened below the grid.
- In the secondary panel, open the "Data" tab.
- In the "Modules Tree" section of the tab, select Administration > Form Editor.
- In the Assign Rights section, select the permissions that you want to grant to profile:
- Read: this is the basic permission. This permission enables the profile to see the (Undefined variable: CompoVariables_WA.Forms) in the navigation bar of the beqom Web Application
- Create: enables the profile to create forms
- Delete: enables the profile to delete forms
- Modify: enables the profile to edit existing forms
- Click the
icon located in the lower-left corner of the profile configuration panel. A confirmation message is displayed. - Click Yes. The profile permissions are saved.
Granting a Profile Permission to Attach a Form to a Process
In addition to permissions related to the (Undefined variable: CompoVariables_WA.Forms), the user must be defined as an administrator in order to be able to attach a form to a process.
To define a user as an administrator, proceed as follows:
- Open the beqom Admin Portal application.
- Navigate to ADMIN > Functional Admin > Users. A grid containing all the users currently defined in the system is displayed.
- Select the user that you want to configure by clicking the corresponding row in the grid. If required, you can search for the user using the search fields provided in the grid header. A secondary panel is opened below the grid.
- In the "Properties" tab of the user configuration panel, check the Set as administrator.
- Click the save icon located in the lower-left corner of the panel. A confirmation message is displayed.
- Click Yes. The changes are saved in the system.
Configuring Form Permissions
Permissions need to be defined in order for end-users to be able to access an attached form from the (Undefined variable: CompoVariables_WA.Process) of the beqom application. If no such permission is defined, then the form is only accessible from the (Undefined variable: CompoVariables_WA.Process) by its owner.
Three different permissions can be granted to profiles (or users):
- View: the form is visible, but the users cannot edit it
- Manage: the form is visible and can be edited from the (Undefined variable: CompoVariables_WA.Process)
- Design: the user(s) can configure the form in the (Undefined variable: CompoVariables_WA.Forms). This permission is only relevant for users who are not the owner of the form.
These permissions have to be set by adding the following information in the bqm_object_access table:
| Parameter | Description |
|---|---|
| uid_tenant | ID of the beqom tenant (can be found in app_tenantinfo) |
| uid_object | ID of the form object (stored in bqm_object table) |
| uid_user | ID of the user (can be "null" value) |
| uid_profile | ID of the profile |
| uid_object_access_role |
ID of the permission:
|
| date_begin | A start date can be set for permission purposes (can be "null" value) |
| date_end | An end date can be set for permission purposes (can be "null" value) |
The following table details the permissions granted by each role
| Permission | Role | ||
|---|---|---|---|
| View | Manage | Design | |
| Read | Yes | Yes | No |
| Edit | No | Yes | No |
| Validate | - | - | No |
| Invalidate | - | - | No |
Configuring Form Permissions Using APIs
To manage the permissions related to a form using beqom APIs, proceed as follows:
Obtaining the ID of the Form
To obtain the ID of the form, run the following API method:
| Service | Action | Endpoint | Description | Body Sample |
|---|---|---|---|---|
| Object | GET | api/forms |
You can filter out by form status:
|
Copy |
In the execution result, copy the id value.
Creating Permissions for the form
To create the permissions related to the form, run the following API method:
| Service | Action | Endpoint | Description | Body Sample |
|---|---|---|---|---|
| Object | POST | /api/objects/{id}/access |
Where {id} is the ID of the form that you retrieved in the previous step Parameters:
|
Copy |
Deleting the Permissions Related to a Form
To delete the permissions related to a form, run the following API method:
| Service | Action | Endpoint | Description |
|---|---|---|---|
| Object | DELETE | /api/objects/{id}/access | Where {id} is the ID of the form |
Form Access Override
The three roles that can be assigned to a profile in relation to a form (View, Manage, Design) come with a set of permissions. However, they don't offer the possibility to define a complex logic based on a hierarchy. To be able to use a finer lever of granularity for form permissions, a second level access configuration is available.
This second level, which is defined using a stored procedure, enables you to define specific permissions for payees (by opposition to profile/user for the standard roles), based on the idStep parameter, which contains information related to both payee and process. When such permissions are defined, they override the permissions granted by the profile role.
The following table details the permissions that can be denied using the access override feature:
Read
Edit
Validate
Invalidate
By default, the Read and Edit permissions are not defined and therefore, the permissions granted by the role are applied.
Defining Additional Form Permissions
To use the form access override feature, you need to run a stored procedure that will specify the permission that you want to grant/deny to the relevant payee.
Below is an empty sample of the stored procedure to run:
CREATEPROC [dbo].[Kernel_SP_Object_AccessOverride]
@uidObject UNIQUEIDENTIFIER,
@uidProfile UNIQUEIDENTIFIER,
@uidUser UNIQUEIDENTIFIER,
@idStepint,
@idTreeint,
@idTreeSecurityint
AS
Declare@DenyReadbit=0;
Declare@DenyEditbit=0;
Declare@DenyValidatebit=1;
Declare@DenyInvalidatebit=1;
--Custom Logic
select@DenyReadas DenyRead, @DenyEditas DenyEdit, @DenyValidateas DenyValidate,@DenyInvalidate DenyInvalidate
The following table indicates where to retrieve the parameters of the stored procedure:
| Parameter | Location |
|---|---|
| uidObject | Method parameter |
| uidProfile | Session |
| uidUser | Session |
| idStep | Process token |
| idTree | Process token |
| idTreeSecurity | Process token |
Viewing the Permissions Of a form
It is possible to view the permissions define for a form using the access override stored procedure using the following API method:
| Service | Action | Endpoint | Description | Output Sample |
|---|---|---|---|---|
| Object | GET | /api/forms/{id} |
Where {id} is the ID of the form This method retrieves the form metadata, including its permissions, in the access section of the output |
Copy |