Clear all

access control for child roles on non-menu-based features


Topic starter

Our HelpDesk role is based on another role, e.g. HelpDeskParent. The HelpDesk menus are limited via the UiMetaModel/EntRoleTypeInclusion. But the audit trail view seems to be visible for HelpDesk based on the HelpDeskParent's permissions alone. In the case of an audit trail view, that's fine/desired. But are there other features that behave similarly to the audit trail view and its corresponding button in the UI -- i.e. things that aren't restricted for child roles via UiMetaModel/EntRoleTypeInclusion? OR -- is there a way to restrict views or other non-menu-controlled features for the child role? (I'm starting to wonder whether our HelpDesk role should become a peer to HelpDeskParent at some point in our future development...)


Thank you in advance!

1 Answer

Generally speaking, with the exception of the UI Meta Model, role inheritance is fundamentally *additive*.  So when I create Role "Child" that is a sub type of Role "Parent", then Role "Child" will get all the permissions of "Parent", plus you can assign more.  But with the exception of the UI Meta Model (i.e. menu items), you can't *remove* permissions from "Child" which are present in "Parent".  So if your HelpDeskParent role has *more* permissions than you want to grant to HelpDesk, then you are probably going in the wrong direction.


Part of the reason we used additive permissions is the fact that we allow multiple inheritance of roles.  You can create a role which inherits from several other roles, and it will get the Union of permissions across all those roles.  If we were to allow removals, this would become a spaghetti-like web of adds & removes which wouldn't be comprehensible, but the simple additive rule (union) is easy to understand.


You could consider going another way ... for example, if you want a HelpDesk role, and another role that does what HelpDesk does plus more, then you could have that second role be "based on" HelpDesk, and then you can add more permissions to the second role.  Or you could have both HelpDesk and the second role inherit from a common ancestor which contains the permissions you always want both to have, and then each one adds any remaining permissions they require.


With all that being said, there is one exception that does allow removals - that is Enterprise Role Types.  The key difference between Enterprise Role Types and regular role types, is that Enterprise Role Types sit at the "top" of the stack of inheritance - no-one can extend an Enterprise Role Type (not even another Enterprise Role Type).  That is why in the Enterprise Role Type UI, we allow both adds/removes both for menus/actions/etc.  So that's a final option you could consider, e.g. have your HelpDeskParent role, and then create an Enterprise Role Type which removes perm from HelpDeskParent to produce HelpDesk. 


@gmerrill Thank you, Greg!

© 2020 One Network Enterprises. All rights reserved. Privacy Policy