User management

Introduction

The user management system controls access and permissions within the platform through three interconnected components:

Users - Individual accounts requiring system access
Roles - Collections of permissions defining system capabilities
Permissions - Specific actions and system access rights

The system operates on a role-based access control (RBAC) model where users receive permissions through role assignments rather than direct permission grants.

Core concepts

Users, roles, and permissions

Users represent individual accounts within the system requiring access to platform functionality.

Roles define collections of permissions that correspond to specific job functions or responsibility levels. Common role examples include:

Supervisor
Fulfiller
Administrator
Read-Only Viewer

Permissions specify individual actions that can be performed within the system, such as:

Edit users
Create orders
View analytical data
Modify facility settings

Permission assignment model

User → assigned → Role → contains → Permissions → allow access to → System Functions

Permissions are assigned to roles exclusively. Users cannot receive direct permission assignments outside of role membership.

Context limitations

General

Context limitations restrict the scope of permission application within the system. When a user possesses a specific permission, context limitations define the subset of entities to which that permission applies.

Example: A user with "Edit Facilities" permission and a facility context limitation for the North Region can only edit facilities within that specific region.

Available context types

Facility context

Restricts access to entities associated with specified facilities
Example: "Edit Pickjob" permission combined with Facility context for "Facility A" limits editing to pick jobs associated with Facility A exclusively

Userrole context

Restricts user management capabilities to specified roles
Limits both the users that can be managed (based on their role assignments) and the roles that can be assigned to other users
Example: "Assign Roles" permission with User Role context for "Manager, Supervisor" restricts user management to users possessing Manager or Supervisor roles and limits role assignments to those same roles

Context limitation implementation: Role versus user level

Context limitations can be implemented at two distinct levels within the system:

Role-level context limitation

When context limitations are defined at the role level, all users assigned to that role inherit identical limitations.

Example:

Role: "Regional Manager"
Facility Context: Restricted to "North Region Facilities"
Result: All users assigned the Regional Manager role can access North Region facilities exclusively

User-level context limitation

When a role contains no predefined context limitation of a given type, specific limitations of that type can be applied during individual user role assignments.

Example:

Role: "Facility Manager" (no predefined facility context limitations)
User Assignment for John: Facility context restricted to "Facility A"
User Assignment for Sarah: Facility context restricted to "Facility B"
Result: John manages Facility A exclusively, Sarah manages Facility B exclusively

Implementation rules

Roles with defined context limitations apply those limitations to all assigned users
Roles without context limitations allow for customized limitations during user assignment
Role-level context limitations cannot be overridden at the user assignment level
Context limitations defined at role assignment apply only to that specific user

Multiple role assignments

Users can be assigned multiple roles simultaneously. Each role maintains its context limitations independently, creating flexible permission structures.

Multiple Role Example

A user assigned two roles:

"Pick Job Viewer" (no context limitations) → grants pick job viewing across all facilities
"Pick Job Editor" with Facility context limited to "Facility A" → grants pick job editing for Facility A exclusively

Resulting Access: The user can view pick jobs from all facilities but can edit pick jobs in Facility A only.

Multiple role behavior

Each role preserves its individual context limitations
User permissions represent the union of all assigned role permissions
Context limitations apply individually to each role's permission set
This enables sophisticated access patterns such as unrestricted read access with restricted modification rights

Example

In the example below, the user is assigned two roles "Pick Job Viewer" and "Pick Job Editor". Additionally, each role assignment has context limitations. Thus, the user can view & edit pick jobs in facility B but only view pick jobs in facility A.

User management operations

User creation

Required Permission: USER_WRITE

Creation requirements:

Username must be unique across the system
Special characters undergo automatic conversion (ö → oe, ß → ss)
Password minimum length: 6 characters
Primary language assignment is optional

Context Inheritance Requirement: Users with context limitations can only create users with equal or more restrictive limitations. Newly created users cannot receive broader access than their creator possesses.

User modification and deletion

Required Permission: USER_MODIFY

Modification Capabilities:

Role assignment changes
User account property updates
Permission revocation through role removal

Automatic System Responses:

Edited Users face immediate session termination, if their password or roles were changed
Active tasks (such as pick jobs) are reset and returned to the available task pool

Deletion Rules:

Users with appropriate permissions can delete other user accounts

Role assignment operations

Required Permission: USER_MODIFY (not restricted to administrators)

Assignment Constraints:

Role assignments must comply with the assigning user's context limitations
Assigned users cannot receive broader access than the assigning user possesses
Facility context example: Users limited to "Facility A" can only assign roles with "Facility A" limitation or more restrictive access

Role management operations

Custom role creation

Required permission: ROLE_WRITE

Role categories:

Preconfigured roles: System-defined roles with fixed permissions (modification and deletion prohibited)
Custom roles: Administrator-defined roles with configurable permission sets

Role management rules:

Role names must be unique system-wide
Permission modifications take immediate effect for all users assigned to the role (propagation may require up to 5 minutes)
Role deletion is permitted only when no users are currently assigned to the role

Role configuration best practices

Begin with minimal required permissions
Test custom roles with limited user assignments before broader deployment
Implement descriptive naming conventions indicating role purpose
Maintain documentation for custom role use cases and intended applications

Security and privilege escalation prevention

Context inheritance rule

Role assignments must maintain or increase restriction levels relative to the assigning user's context limitations.

Permitted Operations:

User with "Facility A, Facility B" access assigns role with "Facility A, Facility B" or "Facility A" limitation

Prohibited Operations:

User with "Facility A" access assigns role without facility limitations or with broader facility access

USER_MODIFY permission security considerations

The USER_MODIFY permission grants extensive role assignment capabilities, including administrator-level role assignments.

Recommended security measures:

Implement User Role context limitations on roles containing USER_MODIFY permission
Define specific assignable roles through context limitations
Exclude administrator roles from assignable role lists when appropriate

Security implementation example:

Role: "Human Resources Manager"
Permissions: Includes USER_MODIFY
User Role Context: Limited to "Employee, Supervisor, Team Lead"
Security Result: User management capabilities without administrator creation privileges

System reference

Permission Hierarchy Structure

System Functions
    ↑ (access controlled by)
Permissions  
    ↑ (organized within)
Roles
    ↑ (assigned to)
Users

Context Limitation Processing Flow

Role Definition → Context Limitation Status Assessment
    ↓ No limitations: Individual user assignment customization available
    ↓ Limitations defined: Applied uniformly to all role assignments
User Role Assignment → Context Application
    ↓
Permission Activation → Within Defined Context Boundaries

Common issue resolution

Insufficient Access Despite Appropriate Permissions

Verify context limitations - permissions may exist but apply to different entity subsets

Role Assignment Failures

Confirm context limitations match inheritance requirements
Verify possession of USER_MODIFY permission
Check User Role context limitations for target role inclusion

Role Permission Changes Not Effective

Allow up to 5 minutes for system-wide permission propagation
Consider user session refresh requirements for certain permission types

System summary

The user management system provides comprehensive access control through:

Role-based permission grouping for organized access management
Context limitation framework for granular access restriction
Flexible assignment options enabling role customization per user
Multiple role support facilitating complex permission requirements
Security enforcement mechanisms preventing unauthorized privilege escalation

These components combine to create a robust access control system capable of supporting diverse organizational security requirements while maintaining operational flexibility.

The user management enables the allocation of roles to users, thereby facilitating the control of permissions for various actions and access within the platform. Users have the option of either using preconfigured roles with static rights or creating custom roles with individual rights.

Last updated 4 days ago