Security and Permission Configuration Changes in Lucity 2016

Some new changes are coming for security and user permission management in Lucity 2016 in February.  For some these will be very minor changes, but other administrators may have a moderate to large number of changes needed in the Lucity security setup.  We wanted to give everyone plenty of time to get used to the idea and start planning.  This post contains details to help Lucity administrators start preparing for these changes now.

Historically Lucity has supported configuring permissions by group and by individual user permissions (called individual overrides). Starting in Lucity 2016 (Feb. 2016), individual overrides will no longer be available.

2015-10-28_1537

Immediately after upgrading to Lucity 2016 (or prior to upgrading), it will be critical to migrate all individual override permissions to group permissions.  If this is not done, users may have access to features they should not because the DENY overrides are gone.  It may also result in users missing access to features because their GRANT overrides are gone.

This permission architecture change will improve the performance of Lucity applications and is necessary in order for Lucity to adopt some modern patterns for security management.

Here are some example workflows to exhibit how permission assignments may change for you:

Historically you may have done this:

  • Created a group called “Work Order Editors” which provided full read/write/delete access to Work Orders.
  • Added Ed, Sally, and Dave to “Work Order Editors”
  • Added an individual override DENY on “General -Delete” to prevent Ed from deleting work orders
  • Added an individual override DENY on “General -Delete” to prevent Sally from deleting work orders

The result is:

  • Dave has full access to work orders.
  • Ed and Sally can do everything in work orders EXCEPT deleting work orders.

Starting in Lucity 2016, you will do this instead (this work flow also is possible in Lucity 2015r2 and all previous versions of Lucity):

  • Create a group called “Work Order Editors” which provided full read/write/delete access to Work Orders.
  • Create a group called “No Work Order Delete” which has one permission, a DENY for deleting work orders.
  • Add Ed, Sally, and Dave to “Work Order Editors”
  • Add Ed and Sally to “No Work Order Delete”

As another example, you may have done this:

  • Created a group called “Work Order Editors” which provided full read/write access to Work Orders and denied delete access to work orders
  • Added Ed, Sally, and Dave to “Work Order Editors”
  • Added an individual override GRANT on “General -Delete” to allow Dave to delete work orders

The result is:

  • Dave has full access to work orders.
  • Ed and Sally can do everything in work orders EXCEPT deleting work orders.

Starting in Lucity 2016, you could do this:

  • Create a group called “Work Order Editors” which provides full read/write access to Work Orders and denies delete access to work orders
  • Create a group called “Work Order Admins” which provides full read/write/delete access to Work Orders
  • Add Ed and Sally to “Work Order Editors”
  • Add Dave to “Work Order Admins”

To help you identify and get rid of individual override permissions, two new queries will available with the Lucity Data Quality Services tool for Lucity 2015r2 SP1.

2015-10-27_0946

The individual overrides shown in the Information query “Users with permissions assigned as individual overrides, not as group permissions” can be automatically converted to group permissions using a new tool available in Lucity Security in Lucity 2016.

2015-10-28_1519

This will generate a new group for individual overrides and delete the user’s overrides.

2015-10-28_1520

More details about how to review these individual overrides is available on in a new knowledge base article in the Lucity support center.

If you have questions about converting your permissions from individual override permissions to group based permissions, please leave a question below or contact Lucity Support.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s