CoreOne Suite Organization Unit Employee Manager
Introduction
User management of employees, partners and other users is often a cumbersome task. An effective strategy to address this issue is to involve the business in the user management process. The CoreOne Suite Organization Unit Employee Manager is a powerful tool designed to facilitate this approach within the Admin User Interface 2.0.
Assigning this role to a Core Identity within the context of an organization unit grants the user the following permissions.
Data Access Permissions
Entity | Permission | Context | Description |
|---|---|---|---|
Core Identity | Create / Read / Update / Delete | The assigned organization unit and organization units below | Create, read, update and delete Core Identities who have a valid employment to the organization unit assigned in the context (or below). Only core identities of types for which an employment is mandatory can be created. |
Core Identity Employments | Create / Read / Update / Delete | The assigned organization unit and organization units below | Create, read, update and delete Core Identities Employments with a valid employment to the organization unit assigned in the context (or below). |
Core Identity Type | Read | None | Read the Core Identity Type and the defined mappings including the attributes. |
Organization Unit | Read | None | He can read the organization unit and the records of the context |
View Permissions
View | Description |
|---|---|
My CoWorkers | Gives view access to the My CoWorkers view |
Core Identity Detail Page | Can see the details of the Core Identity and the following tabs |
Core Identity Create | Allows to create Core Identities in the context of the assignment context |
Core Identity Update | Allows to edit Core Identities in the context of the assignment context |
Core Identity Delete | Allows to delete Core Identities in the context of the assignment context |
Core Identity Detail Page → Account tab | Can see the content of Account tab of a Core Identity |
Core Identity Detail Page → Change/Reset buttons | Can see the buttons in top bar of Account tab of a Core Identity |
Backend Business Use Case Permissions / UI/API Permissions
UI/API Permissions used on the Core Identity → Account tab:
UI/API Permissions |
|---|
COS Account Update (id=37) - WRITE |
Activate COS Account (id=39) - WRITE |
Deactivate COS Account (id=40) - WRITE |
Reset Activation / Set Activation Required (id=38) - WRITE |
Toggle Change Password at Next Logon (id=41) - WRITE |
Generate New Activation Code (id=44) - WRITE |
Backend Business Use Case Permissions used on the Core Identity → Account tab:
Backend Business Use Case Permissions |
|---|
CoreIdentity.Identity.Actions.ForcePasswordChange |
CoreIdentity.Identity.Actions.ActivateUserAccount |
CoreIdentity.Identity.Actions.DeactivateUserAccount |
CoreIdentity.Identity.Actions.SetAccountToActivationRequired |
CoreIdentity.Identity.Actions.UpdateActivationCode |
CoreIdentity.Identity.Actions.ChangePassword |
CoreIdentity.Identity.Actions.ResetPassword |
Password Change and Reset Permissions
Custom security logic is used for password change/reset, as well as main password change/reset. This is because the role does not allow for Update on the Identity but should allow for password managment.
To allow it - the new RuleGroups were created and associated with this role. In the backend they are checked.
Module | Rule Group Id |
|---|---|
|
|
|
|
Which permissions are checked during changing or resetting a password:
Does the user have the Business Use Case Permissions?
If yes - Does the user have Update Data Access Permissions for the CoreIdentity?
If no - Does the user have Update Data Access Permissions for the Identities affected by the change?
Endpoint | Checked rule group |
|---|---|
| 6 |
| 6 |
| 6 |
| 7 |
| 7 |
| 7 |
| 6 |
| 6 |
| 6 |
| 7 |
| 7 |
| 7 |
| 6 |
| 6 |