Skip to main content

Setting up a secure environment

In this guide, we will show you how to combine two powerful authorization mechanisms:

  • Data-driven security
  • Role-based access control

Both play a crucial role in the security process of Dime.Scheduler. Before we dive in, let's recap what these two concepts entail:

  • The data-driven security rules define what data the users get to see.
  • The role-based access control rules define which actions the users can execute.

In this tutorial, we will touch on quite a few aspects. To see the role-based access control mechanism in action, we need to create roles and assign user actions to them, and assign these roles to users and user groups. For the data-driven authorization, we have to obtain a data set that includes (resource and task) filter values, categories and time markers.

Both mechanisms can be set up independently from the others because there is no direct link between the two of them. However, when they are both used, it can be immensely powerful. This is also how this tutorial is structured: we will cover each topic independently.

Setting up the roles

Of the two, this is probably the easiest concept to understand and to set up. Two key notions are "Roles" and "User Actions". A role is nothing more than a collection of user actions which can be assigned to users and user groups. A user action describes a protected activity in Dime.Scheduler. For example, to create an appointment, you need to have access to the "Create appointment" user action. Finally, you can create as many roles as you want and assign just as many roles to the users and groups. Even if you don't have access to the "Create appointment" user action in the "Read-only" role, you may have another role which does have this user action.

That's enough talking for now, let's do some actual work!

Roles administration

Let's create two roles with the following user actions:

  • Limited planner
    • Drag and drop
    • Drag and drop appointment
    • Edit
    • New
    • Details
    • Scheduler module
  • Read-only
    • Scheduler module

Splendid, now it is just a matter of assigning these roles to two new users. Go to the user administration view:

Roles administration

Create two new Forms users:

New users

Tip: you can use a fake or temporary mail service like https://getnada.com

Select the read-only planner and assign the newly created "Read-only" role:

Assign role

Select the limited planner and assign the newly created "Limited planner" role:

Assign role

Let's see what the results are. If you had already logged in, it's best that you log out and log in again. For example, the limited planner has access to a few buttons in the planning board's context menu:

Verify roles

The read-only planner doesn't even have access to this context menu!

If this role would be too restrictive, there are two solutions:

  • Expand the scope of the role by adding user actions.
  • Assign one or more roles to the user (or group(s)).

At this point, you'll notice that both users can see the same data. The role-based access control has no influence on this, it is only concerned with the protected actions in Dime.Scheduler.

Setting up the data-driven security roles

Now that we've protected what the users can do with the data, let's proceed with the matter of which data the users can manipulate. This is the realm of data-driven security, where filter values, categories and time markers from resources and tasks are matched to those of the users and user groups.

In this section, we will assume that the filter values, categories and time markers have already been set up.

The data-driven security mechanism is all about matching and comparing data between users and entities like resources and tasks. In this tutorial, we will focus on resources. Remember that this also applies for tasks.

To visualize the concept of matching data, we'll highlight the matches in different colors.

User-driven security rules

While we are still in the user administration setup, let's assign some filter values, categories and time markers. In this environment, there are two filter groups with each two filter values. We've assigned two entirely different filter values for the users:

Assign role

There is no overlap between filter values. We could do the same for categories and time markers:

Assign role

If you refresh the planning view for both users, you'd already notice that some data has been blocked:

Locked appointment

The limited planner can still create appointments, but he now has only a limited choice of categories:

Locked appointment

The data-driven security mechanism is already working like a charm, but let's take it one step further with the resource filter values.

Resource-driven security rules

Let's secure two resources that have the same filter values as the user. To do this, head to the resource settings view.

Resources

Select two random resources and assign the filter values:

Assign role

If you refresh the planning board, you'll see the changes immediately:

Assign role

Both users get a different data set: resources are filtered by the user's filter values.

Summary

Role-based access control is a fairly standard practice in many software products. However, Dime.Scheduler takes it one step beyond by allowing administrators to define their own roles instead of having to use the static and predefined user roles. In fact, a user role has little meaning by itself: it is what the administrators make of it. They define what a role looks like, not the people at Dime. Even though role-based access control can be configured in the application, it is fairly static because security requirements don't change that often. Usually it is set up once at the beginning and remains untouched for a long time.

Data-driven security on the other hand can be applied very dynamically. It is perfect for defining requirements on tasks, resources and the planners. You can use it to divide the tasks and resources by region, skill, customer, etc. It is powerful and it flows throughout the entire application: users can only see what the data-driven security mechanism allows you to see.

In this example, we narrowed down the planning capabilities of two users to a very specific set. Read-only planners are only allowed to see a filtered data set (because of the assigned filter values and categories) and can't modify anything. Limited planners on the other hand, can do more things but only to a certain extent: the tasks and resources that match the filter values and categories limit the range of the planner's power.

This is only a very rudimentary example, in real life this can escalate quickly once the customer understands the true power behind these simple concepts. Just as resources and tasks can be anything, categories, time markers and filter values can be used for anything to divide the resources and tasks.

Read more