Skip to main content

Example: Segregating help desk privileges

A two-participant relationship user class would allow group owners (for example, team Managers) to provide help desk duties for their group members (for example DirectSubordinate). Those two relationship endpoints (Manager and DirectSubordinate) would be the participants of the class.

With such a configuration, when managers log in and use the Help user link, they would have access to only the employees in their own group.

That user class could be used to provide access of managers to provide help desk duties to their direct employees in Manage the system> Security> Access to user profiles> Delegated administration rules.

The same user class can control profile visibility: configured in a user-class-based user filter like GENERATE_USER_PLUGIN (for specifying who should be managed) or the reverse, FILTER_USER_PLUGIN (to specify who should not be managed) Both plug-in points are in Manage the system> Modules> Options.

The security rule provides access, while the user filter plugin provides visibility.

So if the user class is used in the security rule, but not in the user filter, all profiles would be listed for everyone, but the managers would have access to see only the details of their own employees.

In practice, managers are usually too busy to help their employees with their self-service or approval functionality provided by Bravura Security Fabric , so most of the time there would be specific help desk teams in specific regions working the same time zones as the employees they are supposed to help, and the class relationship would be based on the city or region attribute, with a three-participant user class.

Do not use two-participant classes with PSLang expressions that check on attributes for these use cases. Even though it is feasible for small companies, and easier to configure than writing plugin scripts or three-participant classes, the performance would be impacted during auto discovery and during use the product, such as display of the list of users who can be helped by the viewer and using help desk features.

In this section: