Setting up a secure environment
This guide walks you through locking down a Dime.Scheduler environment by combining two authorization mechanisms:
- Data-driven security
- Role-based access control
Each controls a different side of access:
- Data-driven security rules define what data users get to see.
- Role-based access control rules define which actions users can execute.
To set up role-based access control, you create roles, assign user actions to them, and assign those roles to users and user groups. To set up data-driven authorization, you work with a data set that includes (resource and task) filter values, categories and time markers.
There is no direct link between the two mechanisms, so you can set up each one independently. Used together, though, they are far more powerful than either alone. This guide covers each topic on its own.
Setting up the roles
This is the easier of the two concepts to understand and set up. It rests on two notions: "Roles" and "User Actions".
A role is a collection of user actions that you assign to users and user groups. A user action describes a protected activity in Dime.Scheduler. For example, to create an appointment, a user needs access to the "Create appointment" user action. You can create as many roles as you want and assign as many roles as you want to users and groups. A user can lack the "Create appointment" user action in the "Read-only" role but still have it through another role.
Now let's set this up.
Create two roles with the following user actions:
- Limited planner
- Drag and drop
- Drag and drop appointment
- Edit
- New
- Details
- Scheduler module
- Read-only
- Scheduler module
Next, assign these roles to two new users. Go to the user administration view:
Create two new Forms users:
Tip: you can use a fake or temporary mail service like getnada.com
Select the read-only planner and assign the newly created "Read-only" role:
Select the limited planner and assign the newly created "Limited planner" role:
Now check the results. If you were already logged in, log out and log in again. The limited planner has access to a few buttons in the planning board's context menu:
The read-only planner doesn't even have access to this context menu.
If a role is too restrictive, you have two options:
- Expand the scope of the role by adding user actions.
- Assign one or more roles to the user (or group(s)).
At this point, both users still see the same data. Role-based access control has no influence on that, it governs only the protected actions in Dime.Scheduler.
Setting up the data-driven security roles
Now that you've controlled what users can do, turn to which data they can manipulate. This is the realm of data-driven security, where filter values, categories and time markers from resources and tasks are matched against those of the users and user groups.
This section assumes the filter values, categories and time markers are already set up.
Data-driven security is all about matching and comparing data between users and entities like resources and tasks. This guide focuses on resources, but the same approach applies to tasks.
To make the matches easy to spot, we highlight them in different colors.
User-driven security rules
While you're still in the user administration setup, assign some filter values, categories and time markers. This environment has two filter groups, each with two filter values. Assign two entirely different filter values to the users:
There is no overlap between the filter values. Do the same for categories and time markers:
Refresh the planning view for both users, and you'll notice that some data is already blocked:
The limited planner can still create appointments, but now has only a limited choice of categories:
Data-driven security is already doing its job. Now take it one step further with resource filter values.
Resource-driven security rules
Secure two resources that share the same filter values as the user. Head to the resource settings view.
Select two random resources and assign the filter values:
Refresh the planning board, and you'll see the changes immediately:
Both users get a different data set: resources are filtered by the user's filter values.
Summary
Role-based access control is standard practice in many software products. Dime.Scheduler goes a step further by letting administrators define their own roles instead of relying on static, predefined ones. A role has little meaning on its own: administrators decide what it contains, not the people at Dime. Role-based access control is configured in the application, but it tends to stay static because security requirements rarely change. Usually you set it up once at the start and leave it untouched for a long time.
Data-driven security, on the other hand, can be applied very dynamically. It's ideal for defining requirements on tasks, resources and planners. Use it to divide tasks and resources by region, skill, customer and more. It's powerful and it flows throughout the entire application: users can only see what data-driven security allows them to see.
In this example, you narrowed the planning capabilities of two users to a very specific set. Read-only planners can only see a filtered data set (thanks to the assigned filter values and categories) and can't modify anything. Limited planners can do more, but only up to a point: they can act only on the tasks and resources that match their filter values and categories.
This is a deliberately simple example. In practice, it grows quickly once a customer grasps the power behind these concepts. Just as resources and tasks can be anything, categories, time markers and filter values can be used to divide them along any dimension you need.