Skip to main content

Hi,

We want to give specific permissions to users like to be able to see finantial data or to export a factsheet type but we want to minimize manegement effort.

According to the documentation, a user always need to have a standard role but custom roles takes precedence and their permissions are aggregated. So, if a user have Member role and custom roles A and B, I assume he will have the permissions from custom role A and B aggregated and nothing from Member.

If so, and in order to have all combinations of roles, what would be the best approach?

-Option 1 (use only one of the following)

Custom role A - copied from Member and see finantial data

Custom role B - copied from Member and export factsheets

Custome role C - copied from Member and see finantial data and export factsheets

or

-Option 2 (use any aggregation of A plus the others ex. A+B, A+C, A+B+C)

Custom role A - base member role copied from custom Member

Custom role B - see finantial data

Custom role C - export factsheets

In my opinion option 2 escalates better when you add new specific permissions.

Hope it’s clear.

Thank you,

Paulo

@Paulo Vilar I assume you have read the documentation on the Authorization Model (leanix.net)

There are restrictions on what you can do with custom roles depending on your package and whether SSO is enabled so speak to your CSM.

One thing to note is that a user can only have one role assigned to them, so you would have to design custom roles that had all the aggregate permissions required. They cannot be assigned multiples roles, so a user would have to be assigned a single role that had all the permissions relevant to their role in your organisation. So you might have something like:

Standard “MEMBER”: With permissions restricted as per your requirements.

Custom “FINANCE_MEMBER”: Cloned from standard MEMBER and extra view/edit costs permissions

Custom “DATA_EXPORT_MEMBER”. Clone from custom  FINANCE_MEMEBER and export permissions.

 

Thank you @Justin Swift . We have already one custom role configured in SSO but I was not aware of that restriction of only one allowed.

Based on what’s is there in the documentation:

User Roles and Permissions (leanix.net)

  • If a user is assigned multiple custom roles, their permissions are aggregated.

That is why I was planning for option 2.

Thanks,

Paulo

@Paulo Vilar bit of an update, you cannot add custom roles to a user through the LeanIX interface, which is where I noted (erroneously) than you can only specify one role, so my bad. This has to be done by using an external identity provider and assigning the role(s) through that application allows multiple roles and aggregation of permissions.

I still think it is “cleaner” if you design specific roles and assign just the one to a user but the feature is there to aggregate roles as you intended with option 2.

Thanks for the confirmation @Justin Swift . In fact we are using an external identity provider (Entra ID).

The only added value for option 2 would be to have less custom roles to cover all combinations we will probably need in the future, but fully understand your point.

Reply


Terms & ConditionsCookie settings