JustLabel <\> Techs
Go to download

Authorization management

In this tutorial, you will learn about securing access to the application and its resources. It is possible to manage access to individual operations and resources in the application. You can do it in the Authorization Management panel by creating User Accounts and granting them the appropriate permissions using Authorization Profiles. Each authorization profile can be configured by manually adding permissions or using Authorization Profile Templates. You can also create your own authorization templates to easily define the roles of subsequent users.

During this tutorial, we will create an example user account, authorization profile and authorization profile template, to set the scope of font management permissions for this user.

User accounts

User accounts allow you to grant access to the program to different users for different purposes and with different permissions. Some users may only have access to certain actions, such as adding a new font, or to specific objects, such as the ability to read only certain fonts.

When creating a user account, you must give it a login that will be used to identify the user, then optionally complete the information about the first name and last name, enable the account or leave it inactive until you decide that you want to activate it, and select an Authorization Profile. Authorization profiles will be discussed in later sections of this tutorial. For the purposes of this section, we will use a ready-made profile available in the program.

Create test user account john

  1. Open the Authorization Management panel
  2. Open the User Accounts tab and click Add user account button at the top
  3. Enter the login name: john
  4. Optionally fill the first and last name, for example John and Doe
  5. Set the account Enabled
  6. Use the Template_justlabel_chief profile. Please notice you can select more than one profile
  7. Click Submit button

The new user account named john should appear in the user accounts table. Try to use it.

Log in as John Doe and test permissions

  1. Click the profile icon at the top right corner and Sign out
  2. On the login screen enter your the test user login name. In our case john
  3. Create a password for the user. Please notice, we didn’t specify it when the account was created. We give it an example pass password
  4. Go to Assets and then Fonts tab, click the Edit action
  5. Try to edit the font name and click Confirm. The action should fail due to to the lack of font modification permission in Template_justlabel_chief authorization profile

Authorization profiles

In the previous section, we used an authorization profile and assigned it to our test user. An authorization profile is a collection of Authorization Objects named for easy identification. It allows you to assign a set of permissions to a given user. If several authorization profiles are assigned to a user, he has a set of the sum of authorizations of all the profiles that have been assigned.

When creating an authorization profile, you can manually assign individual authorizations to the profile yourself or use a ready-made Authorization profile template. In our example, we’ll use a template. Templates will be described in the next section. There you will also learn how to create a set of permissions manually. In principle, creating an authorization profile template is the same as manually creating a set of authorizations in an authorization profile.

Create test_profile authorization profile

  1. Log out from John account and log in with admin account again
  2. Open the Authorization Management panel
  3. Open the Authorization Profiles tab and click Add Authorization Profile button at the top
  4. Give it a name: test_profile
  5. Optionally put some description, e.g. Authorization profile for John
  6. Next, we can choose the profile template or assign Authorization Objects manually
  7. Check the Manually... radio button and take a look at the Authorization Objects panel. You will see the same panel in the next section, when we will discuss this topic
  8. For now, get back to Select Authorization Profile Template option and choose the TEMPLATE_JUSTLABEL_CHIEF template
  9. Check the Propagate Authorization Profile Template changes checkbox if you want to propagate the future profile template changes to existing objects which have had this profile already assigned
  10. Click Submit button

We have created a test_profile authorization profile. It should be visible in the authorization profiles table. If you click the Edit button in the Actions column for the Template_justlabel_chief profile, which we assigned to our test user, you will notice that new profile test_profile and Template_justlabel_chief use the same Authorization profile template, which is TEMPLATE_JUSTLABEL_CHIEF. It means both of those profiles give the user the same set of permissions. Changing the authorization profile for our test user to newly created test_profile shouldn’t make any changes. You can change the authorization profile for the user john, and then we will consider what this mechanism can be useful for.

Change authorization profile of test user account

  1. Open the Authorization Management panel
  2. Open the User Accounts tab and locate the john account row
  3. Click the Edit button in the Actions column
  4. In the authorization profiles field check only the new test_profile, leaving nothing else selected
  5. Click Submit button

After this action, nothing should change in user permissions. You can check this, for example, by repeating the steps in the exercise Log in as John Doe and test permissions in the User accounts section.

Why did we create an identical permissions profile? There may be various reasons why we need this step. For example, we want to duplicate the permissions of a group of users for new users by creating a new profile for them with the same permissions, and then we want to modify the old profile so that existing users gain additional rights or, on the contrary, lose some permissions.

Authorization profile templates

As mentioned earlier, the Authorization profile template is a set of permissions that can be assigned to a given Authorization profile. The profile itself can also be such a set, if the Authorization Objects have been added manually to it. This approach, however, does not allow the set to be reused in other profiles. Templates that can be saved and used in many authorization profiles come in handy here.

Creating a profile consists in manually assigning individual Authorization Objects to a set with a specific name. The panel for assigning subsequent permissions to the template looks the same as the panel for assigning permissions to the profile in manual mode.

In this example, we will create an Authorization profile template usable in Authorization profiles that will give the user permission to view all fonts as well as rename the font. However, we will not allow to add new fonts or remove them.

Authorization Objects are the entities that allow to perform a certain actions. You can choose between Operation-based and Entity-based authorization objects. First one decides wheather an action of specified type is allowed. For example add or delete. The second one applies to a specific type of objects. In our case we will be dealing with fonts, so the type of the object will be Font.

In case of entity-based objects, after selecting the managed object type, we will be able to specify what query is allowed and by specyfing query, it means setting specific built-in operations and its parameters.

Follow the steps below to create permission objects in a template.

Create test_template authorization profile template

  1. Log in with admin account
  2. Open the Authorization Management panel
  3. Open the Authorization Profile Templates tab and click Add Authorization Profile Template button at the top
  4. Give it a name: test_template
  5. Optionally put some description, e.g. A template that allows you to update the font
  6. Click the Add Authorization Object button to open new popup form
  7. Choose the Operation-based object type and Update Font operation. Please notice the information below the form regarding involved operations. In case of updating the font operation, the Get Font by ID built-in operation will be used
  8. Click Confirm button to store this authorization object
  9. Click Submit button to save changes to test_template authorization profile template

The new authorization template is created, you should see it in the list. Now, let’s use our new template in the test_profile authorization profile used by our test user.

Change authorization profile template of test authorization profile

  1. Open the Authorization Management panel
  2. Open the Authorization Profiles tab
  3. Click the Edit button in the Actions column for the test_profile row
  4. Switch the TEMPLATE_JUSTLABEL_CHIEF template to test_template
  5. Make sure the Propagate Authorization Profile Template changes is checked
  6. Click the Submit button

Now, the john test user account uses the test_profile authorization profile which uses the test_template authorization profile template.

The template provides only one permission, to edit the font information. You can check the effect of this configuration by logging back into your john account.

Log in as John Doe and test permissions

  1. Log in using the test john user account
  2. Go to Assets and then Fonts tab

As you can see, there are no fonts available for this user. This is the correct behavior of the program, taking into account the configuration of the profile that we have entered. The user using the test_template permission set has permission to edit the single font information, but does not have permission to browse the font list, which is needed to display them in the table. Let’s fix this error by adding the appropriate entity-based permissions

Create test_template authorization profile template

  1. Log in with admin account
  2. Open the Authorization Management panel
  3. Open the Authorization Profile Templates tab
  4. Click the Edit button in the Actions column for the test_template row
  5. Click the Add Authorization Object button to open new popup form
  6. Choose the Entity-based object type and Font entity ID
  7. The additional queries table will appear at the bottom of the form, with new Add Query button. Click it
  8. When you open the Operations list you will notice the list of built-in operations. Notice, that one of them is Get Font by ID which was mentioned in the information while adding the Update font operation in previous steps
  9. Choose the Find Fonts operation, then id - EQ in next Field and operator field, and put the * in the last Value field
  10. Click Add button to store the query. What we did here, is that we allowed the user to query the Font objects with any ID field value. This basically means, we allowed to show all fonts to this user. Of course we could limit the list to a single font by specifying the value of one of the identifiers instead of the * character as Value, or provide a finite list of fonts available for the user by changing the id - EQ operator to the id - IN operator and providing a list of allowed font IDs
  11. Click Confirm button to store this authorization object
  12. Click Submit button to save changes to test_template authorization profile template

Now, the template provides permissions both to list the fonts and to edit the information of a single font. We can check if everything is correct.

Log in as John Doe and test permissions

  1. Log in using the test john user account
  2. Go to Assets and then Fonts tab. The list should be available
  3. Click the Edit button in the Actions column of any font
  4. Add the “- test” suffix to the name
  5. Click Confirm button

As you can see, we successfully updated the font information. Now repeat the last exercise, this time deleting the “- test” suffix.

Removing authorization profile

To delete an authorization profile (as well as an authorization profile template), you must ensure that it is not used anywhere. Therefore, to remove

  • Authorization profile – make sure no User account is using it
  • Authorization profile template – make sure no Authorization profile is using it

To allow the deletion of an item, remove the items that use it, or change the item in use to a different one. In our case, we’ll be cleaning up the changes made during the tutorial, so we’ll be removing the created objects in the correct order, allowing the next object to be deleted. You can first try to remove the objects in different order, to be sure that it will not be possible.

Log in as admin

To perform all the following steps, log in with the admin account

After switching to the administrative account, you can perform the cleaning.

Remove test user account john

  1. Open the Authorization Management panel
  2. Open the User Accounts tab
  3. Check the john test user account checkbox
  4. Click the Remove selected user account button

After this step, you can remove the test_profile authorization profile

Remove test_profile authorization profile

  1. Open the Authorization Management panel
  2. Open the Authorization Profiles tab
  3. Check the test_profile authorization profile checkbox
  4. Click the Remove selected Authorization Profiles button

After this step, you can remove the test_template authorization profile template

Remove test_template authorization profile template

  1. Open the Authorization Management panel
  2. Open the Authorization Profile Templates tab
  3. Check the test_template authorization profile template checkbox
  4. Click the Remove selected Authorization Profile Templates button

API Keys

API Keys are used for print authorization. They secure the Printer queues. To get more information on this topic, please visit this tutorial

Exercise without template

Try to retry this tutorial for the templates objects. This time, don’t use the authorization profile template. Try to add authorization objects directly to the authorization profile instead, choosing the Manually assign Authorization Objects option.

During this example, we will create account with the full permissions to manage label templates.

We will guide you through the example, explaining steps to achieve the exercise goal, but we are skipping some steps already discussed in previous sections. If you have any problems with any step following this section, refer to the appropriate previous sections.

Create account using profile without template

  1. Log in as admin and go to Authorization Management, then Authorization Profiles and start creating new profile (Add Authorization Profile button)
  2. Give it a name template_manager, with any description e.g. Template Manager Profile
  3. Instead of using the pre-defined permissions set stored in authorization profile template, choose the Manually assign Authorization Objects option
  4. As you can see, the Authorization Objects form is displayed. It is similar to the one you used when creating the Authorization Profile Template. Because the subject of Authorization Objects as well as the method of adding them to the list of objects has been covered in Authorization profile templates section, please refer to this section if you have any doubts on next steps described below
  5. First, let the user find all the templates. To do that, click Add Authorization Object, choose Entity-based type for the Template entity and click Add Query button
  6. Add basic operation named Find Templates (very similar to Find Fonts we discussed before). Notice, that for Templates, the managed fields list is bigger, now we can choose between id and name field. This can be helpful if you only want to provide a subset of the available templates, e.g. using a name prefix or a defined, finite list of template names. Let’s choose the name - EQ option. Then provide the * wildcard as value, so that our user can view the full list of templates
  7. Click the Add button, then Confirm. Finally Submit button in the the profile.
  8. Create the john account again, if you have had deleted it in the Removing authorization profile section. if you have any problem with this step, refer to the User accounts section. Choose the authorization profile template_manager created in previous steps.

With profile like this, john account can explore the templates list and open any template in the editor. The permissions he lacks are:

  • add new template
  • update template
  • delete template

You can check this if you want, by logging in as john and trying to explore, open and add, update or delete some templates. Each of the actions to which we have not added permissions will result in displaying an error. Let’s add the missing permissions.

Add missing permissions to manage templates

  1. Log in as admin again and edit template_manager authorization profile in Authorization Profiles tab
  2. Click the Add Authorization Profile button
  3. Add the Operation-based authentication object called Add Template. Notice the list of Operations involved. They are necessary to acomplish the task defined in Add Template action and the permissions to execute them will be granted automatically. Click Confirm button to add this authentication object
  4. Repeat the above step for Update Template authentication object
  5. Repeat the above step for Delete Template authentication object
  6. Don’t forget to Submit the new profile settings

After making the above modifications to the authorization profile, the user account with this profile should have full control over the label templates. It has permission to display a list of label templates with any name, can add new templates, edit them and delete them. You can test the permissions by logging in as john, creating a new template and performing various actions on it.

Congratulations, if you have successfully completed all the above steps, you are now able to create authorization profiles. If you want to check how individual permissions work, you can try to remove permissions from our test profile one by one or change them, observing the effect of these actions. After testing is complete, you should delete all test objects.

Clear the environment after tests

To delete a test authorization profile, it cannot be used by any user account. In a similar way, any authorization template cannot be deleted while it is in use by an authorization profile. Remove the template_manager test profile by following the information in the Removing authorization profile section.

Table of contents