VPA Use Case: Using a Message Workflow Rule (Recalculating Space Chargeback)

A number of message workflow rules – such as the WFR for recalculating space chargeback -- turn off VPA. The rationale is that the user who invoked the WFR had the right to perform that operation (since they have the application and security permissions for that WFR). However, the WFR itself needs more access than the user may have. For instance, if the current user is limited to editing one building's data, the WFR can still recalculate space chargeback for all buildings (even though the current user can only see the calculated results for one building).

In the service-provider scenario in which multiple customers share the same database, you need a convenient way to apply a VPA restriction so that a user will be able to recalculate the space chargeback (or other WFRs) only for their own customer organization – that is only for records belonging to their Legal ID.

Presume that Buildings have a hard partition restriction on Legal ID – for instance, that bl.legal_id='BSC' for buildings belonging to the Boston Surgical Center customer.

This example limits the recalculation work flow rule to work only on data belonging to buildings that are part of the current user's customer organization.

Archibus Users table (afm_users)

Enter the user's Legal ID in each User account record when granting users access.

User ID Role Legal ID
allison-abernathy@bsc.com SP-MANAGER BSC
chris-carlo@bwh.com OPS-ELECTRICIAN BWH

Archibus Roles table (afm_roles)

Set up a role – SP-WFR --to be used by space WFRs (and not by users).

Role VPA Group 01 VPA Group 02 VPA Group 03 VPA Group 04
SP-MANAGER MA-BLDGS RI-BLDGS    
SP-WFR        
OPS-ELECTRICIAN CA-BLDGS AZ-BLDGS    

Buildings table (bl)

Buildings have a legal ID.

bl_id Name legal_id
BSC-001 Boston Surgical HQ BSC
BSC-002 Boston Surgical Diagnostics Building BSC
BWH-001 Boston Wellness Outpatient BWH
BWH-002 Boston Wellness Biomedical BWH

.VPA Restriction table (vpa_rest)

The service provider administrator creates a VPA Restriction on the Buildings table and on all tables that validate against the Buildings table.

The restriction allows users to see buildings only for their own organization (for their own Legal ID).

Applies to Table Type Query
bl Explicit Query (EXISTS (SELECT 1 FROM bl WHERE ${sql.mainTable}.bl_id = bl.bl_id AND bl.legal_id = ${user.legal_id} ))

If the current user is Abernathy, and the table being restricted is the Floors(fl) table, the resulting restriction clause is :

(EXISTS (SELECT 1 FROM bl WHERE fl.bl_id = bl.bl_id AND bl.legal_id = 'BSC' ))

Workflow Rule(AllRoomChargeback.java)

Change the All Room Chargeback to use the VPA restriction for the role (SP-WFR) and not for the current user by adding the text in blue below:

new FieldFormula("fl").setAssignedRestriction("fl.prorate_remain='FLOOR' AND " + ${sql.getVpaRestrictionForTableAndRole('fl','SP-MGR','')} ).calculate( "fl.area_fl_comn_ocup", "fl.area_remain + fl.area_fl_comn_ocup");

Note: The WFR does not need to call <datasource>.setApplyVpaRestrictions(false); because the calculation uses a field formula and not a datasource.