VPA Use Case: Using a Message Workflow Rule (Recalculating Space Chargeback)
A number of message workflow rules – such as the WFR for recalculating space chargeback -- turn off VPA. The rationale is that the user who invoked the WFR had the right to perform that operation (since they have the application and security permissions for that WFR). However, the WFR itself needs more access than the user may have. For instance, if the current user is limited to editing one building's data, the WFR can still recalculate space chargeback for all buildings (even though the current user can only see the calculated results for one building).
In the service-provider scenario in which multiple customers share the same database, you need a convenient way to apply a VPA restriction so that a user will be able to recalculate the space chargeback (or other WFRs) only for their own customer organization – that is only for records belonging to their Legal ID.
Presume that Buildings have a hard partition restriction on Legal ID – for instance, that bl.legal_id='BSC'
for buildings belonging to the Boston Surgical Center customer.
This example limits the recalculation work flow rule to work only on data belonging to buildings that are part of the current user's customer organization.
Archibus Users table (afm_users)
Enter the user's Legal ID in each User account record when granting users access.
User ID | Role | Legal ID |
---|---|---|
allison-abernathy@bsc.com | SP-MANAGER | BSC |
chris-carlo@bwh.com | OPS-ELECTRICIAN | BWH |
Archibus Roles table (afm_roles)
Set up a role – SP-WFR --to be used by space WFRs (and not by users).
Role | VPA Group 01 | VPA Group 02 | VPA Group 03 | VPA Group 04 |
---|---|---|---|---|
SP-MANAGER | MA-BLDGS | RI-BLDGS | ||
SP-WFR | ||||
OPS-ELECTRICIAN | CA-BLDGS | AZ-BLDGS |
Buildings table (bl)
Buildings have a legal ID.
bl_id | Name | legal_id |
---|---|---|
BSC-001 | Boston Surgical | HQ BSC |
BSC-002 | Boston Surgical Diagnostics Building | BSC |
BWH-001 | Boston Wellness Outpatient | BWH |
BWH-002 | Boston Wellness Biomedical | BWH |
.VPA Restriction table (vpa_rest)
The service provider administrator creates a VPA Restriction on the Buildings table and on all tables that validate against the Buildings table.
The restriction allows users to see buildings only for their own organization (for their own Legal ID).
Applies to Table | Type | Query |
---|---|---|
bl | Explicit Query | (EXISTS (SELECT 1 FROM bl WHERE ${sql.mainTable}.bl_id = bl.bl_id AND bl.legal_id = ${user.legal_id} ))
|
If the current user is Abernathy, and the table being restricted is the Floors(fl) table, the resulting restriction clause is :
(EXISTS (SELECT 1 FROM bl WHERE fl.bl_id = bl.bl_id AND bl.legal_id = 'BSC' ))
Workflow Rule(AllRoomChargeback.java)
Change the All Room Chargeback to use the VPA restriction for the role (SP-WFR) and not for the current user by adding the text in blue below:
new FieldFormula("fl").setAssignedRestriction("fl.prorate_remain='FLOOR' AND " + ${sql.getVpaRestrictionForTableAndRole('fl','SP-MGR','')} ).calculate( "fl.area_fl_comn_ocup", "fl.area_remain + fl.area_fl_comn_ocup");
Note: The WFR does not need to call <datasource>.setApplyVpaRestrictions(false)
; because the calculation uses a field formula and not a datasource.