How does cloning work with property permissions

It is a standard function of OrgVue to be able to clone a given node in a dataset but this can introduce a possible conflict for users of which those setting property permissions should be aware.

When cloning a node, OrgVue will validate each individual property in turn to determine whether or not that individual user has the right to set that property. 

If not then OrgVue will issue warnings or potentially errors to the user (at save time) because some or all of the properties cannot be set, which will ultimately require someone who does have that right e.g. Tenant Admin to complete the property setting process.

Note adding a node will not apply the same property by property permission evaluation as cloning, it simply will not set a given property if the user has no right to do so.

The impact of the above is as follows:

Given that one can set property level permissions as well as at dataset level permissions, it is theoretically possible to be in a situation where a user has edit rights to a dataset and so can create nodes, but property level permissions are so restrictive that when adding a node most properties are set as empty because that user has no right to set the value for that property.

... a situation that may well occur in practice where a Tenant Admin wants to hide a formula/expression from users generally.

Put another way, if property-level access has been prevented, and cloning validates each individual property per node at clone time, property permissions can potentially block cloning.

If this arises, one of the following options should provide a solution

  • Advise users to add, not clone: this means on create, nodes would have properties with blank values if permissions forbid access to those properties, this would have to be resolved by an Admin post-submit/save
  • Adding 'noclone' tag to properties where permissions forbid access to those properties, which is a structured alternative to the previous: blank values would still have to be resolved by an Admin post-submit/save
  • Have a 'shadow property' available to user which substitutes for the true property available to permitted role groups only - see article here

Addendum: cloning and noclone property tag definition

The standard behaviour of cloning is to create an exact copy of the node being cloned in terms of the associated properties and property values, except the ID property which will generate as a unique value.

If a given property tag - again see article here - is set to

noclone

this means the given property value is not copied from the cloned node on create, and is initially set to blank

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Have more questions? Submit a request

Comments