Security rules example: Creating QMC organizational admin roles
In this example, you organize the administration of access rights for your departments by doing the following:
- Creating an administrator for each department
- Providing each administrator with full access rights to content created by users belonging to that department
To create the organizational admin roles you need to create new security rules and you will use custom properties to connect the roles to the apps.
Security rule | The result of the rule |
---|---|
DepartmentAdminQmcSections | Controls which sections in the QMC that are to be visible to the administrator. |
DepartmentAdminApp | Controls which resources the administrator is authorized to manage. |
Procedure
Do the following:
- Create a new custom property:
- Name the property Department.
- Under Resource types, select Apps, Reload tasks, and Users.
- Click Create new and enter the value Finance.
- Click outside the Values area.
- Click Create new and enter the value Sales.
- Click Apply.
-
Create the new security rules (DepartmentAdminQmcSections and DepartmentAdminApp):
- Select Security rules and click PCreate new.
- In the Advanced and Basic sections, fill in the fields Resource filter, Conditions, Actions and Context per Security rule code.
-
Apply the role to the admin users for the departments (repeat this step for all the administrators you want to add):
-
Select Users, select a user and click Edit.
- Click P under Admin roles and select DepartmentAdmin.
- At Custom properties you select value (Salesor Finance) for your custom property Department.
-
Click Apply.
-
-
Select the apps that the organizational admin user should be able to administer:
- Select Apps, Ctrl+click to select more than one app and click Edit.
- Select value (Sales or Finance) for your custom property Department.
- Click Apply.
You have now created and assigned the organizational admin role.
Security rule code
The following is the security rule code for this example, with explanatory comments:
Security rule code for "DepartmentAdminQmcSections"
Field | Code | Comments |
---|---|---|
Resource filter | QmcSection_Stream,QmcSection_App,QmcSection_App.Sheet, QmcSection_App.Story,QmcSection_Tag, QmcSection_Task, QmcSection_ReloadTask, QmcSection_Event, QmcSection_SchemaEvent, QmcSection_CompositeEvent |
Specifically filters on streams, apps, sheets, stories, tags, tasks, and triggers. |
Conditions | user.roles = "DepartmentAdmin" |
The rule will apply to all users that have the user role set to DepartmentAdmin. |
Actions | read | Read action will be granted provided that the conditions are met. |
Context | Only in QMC | The rule is only valid when you use the QMC. |
Security rule code for "DepartmentAdminApp"
Field | Code | Comments |
---|---|---|
Resource filter | App*,ReloadTask_*,SchemaEvent_*,Tag_*,CompositeEvent_* |
Specifically filters on apps, sheets, stories, tasks, tags and triggers. |
Conditions | user.roles="DepartmentAdmin" and resource.@Department=user.@Department and (resource.resourcetype="App" or (resource.resourcetype="ReloadTask" or resource.resourcetype="App.Object") or resource.resourcetype="SchemaEvent" or resource.resourcetype="CompositeEvent" or resource.resourcetype="Tag") |
The rule will apply to all users that have the user role set to DepartmentAdmin. |
Actions | create, read, update, delete, publish | The actions will be granted provided that the conditions are met. |
Context | Only in QMC | The rule is only valid when you use the QMC. |
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!