Can you set Diagram read/write permissions by role?

Hi yes this is possible today. You will need to contact support and or your customer success manager to go into advance configuration, under bookmarks and allow RO read only access to diagrams. There is currently no way to create a new diagram, and say for RO users they can read but R-test can read and update. If your use case is simply RO can only read all diagrams, this is possible. If it’s specific diagrams this is not possible today. 

My apologies, but I’m not 100% sure I follow.  Are you saying this isn’t something an ADMIN cannot setup, but will need to configure via the LeanIX team?

I appreciate your clarity.

Hi ​@justinharclerode, 

Why isn’t this a standard permission an Admin could grant to Roles? Isn’t it just possible to have it added to the standard permissions? It is more likely to be in your roadmap, I’d presume? 🤔
 

​@justinharclerode 
Maybe related:
Can i grant or remove permissions to diagrams as part of an automation?  (Script)?
Are there such documented?

I cannot find it in the help documentation.

Thanks in advance.

You won’t find this in the documentation (or if it is, please send it over!!)

Each diagram has the permissions node attached to it. Check the Bookmarks in Pathfinder, under the permitted users

the PATCH option available only allows to update the owner of the diagram. I believe to change the viewers you may need to use a PUT and swap the permittedUserIds collection.

I have tried but got a 403 permission error then. Perhaps there is some authorization grant required (e.g. account admin). ​Perhaps 🤔@Thomas Schreiner could chime in  

Thank you ​@Fab - Yes found the same.

It took some work to realize that diagrams are “bookmarks” :
Bookmarks | SAP Help Portal

This opens the door to grant/monitor group-based permissions for a subset of diagrams/reports/dashboards (today LeanIX only allows controlling access to either ALL or NONE of them).  Maybe one day it will become a roadmap item….

Just confirming
This approach seems to require a separate tool/environment to query the LeanIX from outside LeanIX.

Is this need to manage permissions in Diagrams/Reports a common use case (similar to the roles/permissions for the inventory of factsheet that exists already in LeanIX)?
Is there interest to upgrade to a roadmap item?

Your input is appreciated,
And thank you
Moise

To me, roles and permissions are a bit lacking in the product. I would perhaps state the requirement as to “allow the customers to create groups of users independently from the Role”, and have the ability to interact with those. The concept of group is key in collaboration and it is crucially lacking. Also add some automation rules or other mechanisms to perform updates on basic things like to-dos, permissions or others. 

Having the concept of Group (in which you can easily add-remove users based on critera) that you could apply to certain logical groups of documents/objects would most probably solve for your requirement.

​@Fab Thanks for the reply
Even looking at the “Configuring Role-Based Permissions” in the 
User Roles and Permissions | SAP Help Portal ?

It provides some granularity - my concern is that covers fact sheets - but no sub-groups of diagrams and reports (it becomes an all or nothing).

Thanks again
Moise

Hi ​@Fab ​@Moise ​@justinharclerode I played around with this problem a bit and I found a way to edit bookmark permissions via API with standard ADMIN permissions, no ACCOUNTADMIN etc.

EDIT: Forget what I wrote below - it turns out that it’s sufficient to edit the permissions using a (deprecated) API Token of a personal user. The whole part of “stealing the bookmark and giving it back” is not needed at all :-D

OLD ANSWER:

1.) Create a personal API token (deprecated, I know, but that’s the only way I got it working)

2.) Load a bookmark, no matter what user owns it, and store its “user” data structure, you will need it later

3.) “Stealing” the bookmark: Using the personal API token, update the bookmarks “user” field to match the user that created to personal API token

4.) Update the permitted[Read|Write]UserIds as desired, which you can do now because you are the owner, and at the same time set the “user” structure back to the original value to “give it back” to the original user

No idea if there are better ways, but my experiments show that a) technical users cannot steal bookmarks, and b) non-owners cannot update bookmark permissions. I still hope I’m wrong about one of these findings, because this makes it unnecessarily complex to automatically edit the permissions of bookmarks / diagrams / reports. If anybody finds a better solution or LeanIX fixes this: Let me know :-)