Permission Management

The permissions view (Main Menu / Admin / Permissions) lists all permissions and provides management capabilities for them. A related concept is multi tenancy, which allows you to separate assets of multiple sub-organizations on one Txture instance.

Overview

There are two different categories of permissions:
Asset permissions allow/restict user or role access to components of the Structure, such as asset types, aspects and properties. Features permissions allow/restict user or role access to specific features in Txture such as the Transformation Cockpit, surveys, reports or specific admin features.

• Learn more about Asset permissions
• Learn more about Feature permissions

Permission Rules

Permission management in Txture is based on Permission Rules:

As shown in the image above, a permission rule consists of:

• A Subject. It determines to whom the rule applies. The subject is the receiver of a permission.
• An Action. It determines if the rule grants additional rights (and which ones), or revokes them.
• A Resource. This indicates the affected elements in Txture. Another term for resource is Protection Target.

The permission rule in the figure above should be read as:

Grant the role "All users" read/write access to all Application assets.

Subjects

The permissions view lists all your permission rules, grouped by Subject. A permission subject is the receiver of the permission. It can be any of the following:

• A User Account
• A User Role
• Any Subject (every request, useful for baselines)

Permission Actions

The Action in a permission rule determines what happens if the subject performs a request on the resource. The Resource is the "protection target" of a rule.

As mentioned above, there are two different kinds of permissions:

• Asset permissions are used to allow or restrict access to asset types, aspects or properties.
• Feature permissions control which features within Txture are available to the subject.

Asset Permissions

The following Actions can be selected for asset permissions:

• Grant Read: Grants read access to the resource.
• Grant Read/Write: Grants read-write access to the resource.
• Grant Read/Write/Create/Delete: Grants read-write access, and allows deleting and creating instances of the resource.
• Deny access: Denies and revokes any previously granted access permissions of the subject on the resource.

The assets the permission is applied to is defined by the Asset resource:

• Aspect: An Aspect in your Structure
• Asset Type: An Asset Type in your Structure
• Property: A Property in your Structure
• Any Resource: No restriction, applies to everything.

Please note that permissions for links are derived from the permissions for asset types. Users can only see/read links to other assets if they have permission to read/see the assets at both ends of the link. Similarly, creating links is only possible if write permissions to both ends of the intended link are available.

If one grants permissions on single properties of an asset type, some basic properties such as the name, last modified dates and the like are accessible as well. This is to avoid cumbersome situations in which reports would only contain property values, but no indication as to which asset they belong to.

Granting permissions on an asset type automatically also includes any properties attached to the specified asset. Note that if a property is also used on another asset type, read access to the property on the other asset type is not automatically granted.

When granting permissions via API Tokens on reports, make sure that the permissions of the token also include any properties used in the query of the report.

Note

All members of the default admin role can see the entire structure, regardless of other asset permission configurations.

Feature Permissions

In addition to asset permissions, feature permissions are used to grant or deny access to certain features/views.

The following permissions can be used to model special access requirements. E.g. Only allow entering asset data via surveys without granting access to the repository or reporting.

• Txture Frontend: Manage (accessible) assets in the repository, reports etc.
• Transformation Cockpit: Grants access to the Transformation Cockpit
• Survey: Participate in Surveys

Administrative feature permissions allow specific users to manage certain aspects of Txture, without having access to all of them.

• Admin: Moderate Content: The content admin permission can be granted to users to moderate the content. It allows to modify all Assets, Links, Comments, Reports and Dashboards. Please note that this permission allows the subject to see and modify content which other users have declared as private.
• Admin: System Configuration: View and modify server configuration in System Configuration
• Admin: Data Management: Manage Importers, Data Sources, Consolidations, and Task Scheduling.
• Admin: Propagation Rules: Manage Propagation Rules.
• Admin: External Actions: Manage External Actions.
• Admin: Notification Rules: Manage Notification Rules.
• Admin: Structure Editor: Use the Structure Editor to customize your structure.
• Admin: Styling: Manage global Node Style Rules.
• Admin: Surveys: Manage Surveys.
• Admin: User Management: Manage users and their permissions.

License permissions restrict or enable certain users to influence a Txture license pricing parameter.

• Transformation Cockpit License Assign: Manage Application Activation for the Transformation Cockpit

Note

• User Importers are managed by the Admin: Data Management permission.
• All members of the default admin role have all administrative permissions.

Permission Groups

Rule Precedence

An important key concept in the permissions view is that a rule further down in the list will take precedence over the rules further up in the list. This is true for the groups, as well as for the individual entries within each group.

It is possible to add new permission rules for a user, a role, or any subject to execute specific rights on specific resources. Keep in mind that the permission system calculates the actual permissions by going through to individual rules from top to bottom. This means that it can be both used additively and subtractively:

• Additively: Adding two permissions on specific asset types or aspects subsequently results in the user having permissions on both of the selected types. In the example below this means, user in Group A have all rights on any assets in the aspect Business or Business Process, but no other parts of the Structure.

• Subtractively: As opposed to additively adding specific resources, one can add access to all aspects or asset types at first and then subsequently remove parts of it. In the following example, Group B can access anything, but the assets in aspect Business.

Note

Permissions granted by the default admin role cannot be denied/revoked.

Managing Permissions

You can add a new permission group by clicking on the Add Permission button on the bottom of the list of all your permissions. Likewise, you can add a new rule inside a group. Editing a line is done by selecting the desired options from the dropdown menus.

Please note that you can click and drag permission rules and permission groups by grabbing their icon and dragging them into place. This can be used to reorder permissions. Deleted permission groups (using their respective button) will not disappear right away, but will appear grayed-out; new or modified permissions will appear with a green background. Clicking on the Save button will save all your changes at once.