Privileges view

Administration Security Privileges Privileges view

The Privileges view displays the privileges defined in the system. Each task that a user can perform in N4 is associated with one or more privileges. However, you cannot add, edit, or delete privileges that are defined in N4. In addition, you cannot directly assign privileges to a user. To assign privileges to user accounts, you group them together to create roles, which you can then assign to users to grant them the use of the system.

For example, the Booking Add privilege enables a user to add a booking and the Booking Edit privilege enables a user to edit an existing booking. To allow a user to add and edit bookings, you create a role with the Booking Add and the Booking Edit privileges and assign it to the user.

To prevent a user in one organization from viewing or editing a booking owned by another organization, such as a line operator, you must specify a business group for the user in the User form (on page 1).

The Menu Navigation – Complete (ACCESS_ALL_NAVIGATION_NODES) privilege grants access to all modes and all menu items in N4. This privilege is helpful when you need to determine if a licensed feature is missing due to privileges or licensing. This privilege does not include access to add, edit, delete records, or access to the Actions menu in a list view in N4. Therefore, to include additional access, you must also assign the associated privileges as needed to the administrative role.

Navis recommends that you only assign the Menu Navigation - Complete (ACCESS_ALL_NAVIGATION_NODES) privilege to an administrative role because including this privilege overrides all the other privileges, thereby giving default access to all the menus irrespective of the privileges excluded.

You can use the Actions menu to:

• Modify Role Constraint: (on page 1) Create or edit privileges constrained by a business role, such as a line operator.

• Remove Role Constraint: Delete the selected constrained privilege.

For more information on constrained privileges, see Constrained privileges below.

The following types of privileges exist:

• Static privileges: Are part of the system installation and relate to the various work modes, menu options, and tasks. The basic tasks that you can perform on an entity are:

• View: View existing data for a specified entity. For example, the Booking View privilege enables you to access the Bookings view.

A view privilege is a prerequisite for the add, edit, and delete privileges as it allows the user to see the required menu options.

• Add: Add new data for a specified entity. For example, the Booking Add privilege enables you to add new bookings.

• Edit: Edit existing data for a specified entity. For example, the Booking Edit privilege enables you to edit existing bookings.

• Delete: Delete existing data for a specified entity. For example, the Booking Delete privilege enables you to delete existing bookings.

To view all the privileges related to an entity, sort the Privileges view using the Name column. For more information on sorting data in a list view, see Sorting columns.

• Deny privileges: Like static privileges, these are part of the system installation. However, they prevent access to parts of the application rather than allowing it.

There are two types of deny privileges: those that prevent access to an aspect of the N4 application, such as the Unit Inspector - Deny Access to Damages privilege; and those that deny access to a specific field in the N4 user interface, such as the Deny access to Unit field Unit Notes privilege which hides the Unit Notes field in all views and forms. Not every field has an associated deny privilege; you need to look in the Privileges view for the complete list. For more information, see Field-Level Security (on page 1).

• Dynamic privileges: N4 creates these dynamically for the configurable components of N4 such as the gates, gate stages, unit modify action, user-defined service events, and holds/permissions.

With each new gate stage, N4 creates a new privilege named as follows:

• GateConfigStage.<Gate Config. ID>.<Stage ID>

With each new hold/permission, N4 creates two new privileges for each new hold/permission.

• For a new hold, the privileges are Hold Add: <Hold ID> and Hold Release: <Hold ID>.

• For a new permission, the privileges created are Permission Grant: <Permission ID> and Permission Cancel: <Permission ID>.

To allow a user to update a specific hold/permission, in addition to the privileges for a specific hold/permission, you must assign the privilege to update holds/permissions. For example, to enable a user to add an ABC hold to a unit, you must assign the Hold Add: ABC dynamic privilege and the Unit Actions - Update Holds/Permissions static privilege to the user's role.

With each new event type, N4 creates a new privilege named as follows:

• Services: Apply <event type Id> Service

Users can only record events associated with the privileges you assigned to their user account.

If you want to allow a user to record any user-defined event type for any entity, assign the Services: Apply *Any* Service privilege to the role assigned to the user.

• Constrained Privileges: N4 creates these privileges when constraining a privilege by organization type using the Actions >Modify Role Constraint option. You can constrain a privilege by a business role when you need to restrict certain users from accessing certain data. For instance, vessel operators can generally view all units that will travel or have traveled on their vessel. The terminal can restrict the data that a vessel operator is allowed to view if the line is not the same as the line of the vessel operator by using the role constrained privileges.

N4 names the constrained privileges as follows:

<Privilege> constrained by <Business Role>

For example, if the Unit Inspector - Bills of Lading privilege is constrained by Line Operator, then the privilege is Unit Inspector - Bills of Lading constrained by Line Operator. When you assign both these privileges to a user, then the logged-in user can only view or access his/her company’s data.

Constraints also apply to action privileges such as Units Actions - Renumber or Vessel Visit Actions - Advance Vessel Visit.

When you assign a constrained privilege to a role, associated users can perform the action only on data that the user’s company or business group associated with the entity.

• For example, if

» The user's company is the line operator XYZ,

» XYZ is also a shipper, and

» The user's role has the Unit Actions - Renumber privilege,

the user can renumber any container owned by XYZ or on an XYZ vessel.

However, if the user also has the Unit Actions - Renumber constrained by Shipper/Consignee privilege, the user can only renumber containers specifically owned by XYZ.

• For example, if

» A user is associated with the business group ABC which affiliates three line operators, and

» The user's role contains the Unit Actions - Renumber privilege,

the user can renumber units owned by ABC operators and all units arriving or departing on any ABC vessels.

If you add the Unit Actions - Renumber constrained by Line Operator privilege to the user's role, the user can now only renumber units owned by the ABC operators.

The Debug Info column in this view provides information on the type of privilege you are dealing with: Statically delivered privileges are sourced from an XML file. Dynamic or custom privileges indicate the class responsible for loading the privilege.

Privileges Columns

You can use the Debug Info column to identify the type of privilege. For example, all static privileges are sourced from an XML file; therefore the Debug Info column displays the path of the XML file. Any dynamic or custom privileges show the class responsible for loading the privilege.