Skip to main content

Application Rights Configuration

Application rights set via Rights Management are now enforced at runtime. This means that editing actions on filter boxes are now governed not only by the rights assigned to the target entity (item), but also by the rights configured on the application itself.

Note! An application does not grant user access to any of the entities (items) within the application. They remain protected by the rights management system. This means that even when the user has editing rights on the application the user also needs editing rights on the target entity (item) in order make changes.

System Setting Required

To avoid unintended impact for customers already in production, this behavior is controlled via a system setting and must be explicitly enabled. We have enabled it as the default.

Setting key: verso.runtime.apply.rights → set to true

Configuration Guidelines

Please follow these steps to ensure correct behavior:

  • Editing users — Remove any user intended to have edit access from the Read Only group and add them to an object group with the appropriate rights on the relevant object. Ensure rights are applied at the correct level (e.g., if a user needs to edit an association in the model, rights must be set at that level). 

The Read Only Group

This group is intended for users that never should be able to make changes in the system. It is not intended to constitute a base line for all users. Users that should be able to make changes should be removed from this group and optionally be placed in another group.

The Read Only Users Rule

This rule targets users in the Read Only Group, and it affects all objects in the system, not just applications and tools*.

This rule should reside in Initial rules or Final rules, never in Normal rules.

Placing it in Final rules will ensure that no matter what other rules say, Read Only users will never be able to make changes to any object in the system. This is the recommended strategy.

Placing it in Initial rules will allow Normal rules to override the Read Only behavior and thereby potentially cause security issues.

Scenario 1

As default all applications are forbidden for all users.

Some applications are to be public and should be possible to run for everyone in read only mode.

Steps…

1. Create an Initial Rule with User Group = \All Users\ and Target Type = \*\*Application

Disable all permissions. (empty boxes with no black square).
Give it a proper description.

2. Create an Object Group called \Public Applications\.\

Add the applications you want to make public to the group.

3. Create a Final Rule with User Group = \All Users\ and Group = \Public Applications\.\Enable the Read permission, leave the other boxes untouched (with a black square).
Give it a proper description.

Scenario 2

As default all applications are allowed for all users to run.

Some applications are to be restricted and should not be possible to run for everyone.

Steps…

1. Create an Object Group called \Restricted Applications\.\

Add the applications you want to restrict to the group.

2. Create an Initial Rule with User Group = \All Users\ and Group = \Restricted Applications\.\

Disable all permissions. (empty boxes with no black square).

3. Create a User Group called \Restricted Application Users\.\

Add the selected users to the group.

4. Create a Normal Rule with User Group = \Restricted Application Users\ and Group = \Restricted Applications\.\

Enable the Read permission, leave the other boxes untouched (with a black square).
Give it a proper description.

Optional steps…

5.  Create a User Group called \*Restricted Application Editors.\*Set the Parent Group to \*Restricted Application Users.\*Add users with editing rights to the group.

6.      Create a Normal Rule with User Group = \Restricted Application Editors\ and Group = \Restricted Applications\.\

Enable all permissions.
Give it a proper description.

Last updated on