===== Authorizations & Permissions =====

==== Purpose ====
To control what a Redpeaks end user can see and modify among all defined SAP systems and their associated monitoring configuration.
This is controlled by the definition of **Permission and Authorization Profiles**

==== Concept ====
  * **Permission Profile** will determine what can be changed (create, update, delete) in systems, connectors, monitors, SAP users and monitoring configuration.
  * **Authorization profiles** are used to associate permission profiles with SAP systems. 
  * The association between permission profiles and SAP systems can be done by:
    * **Groups** (company): All systems belonging to the group will be associated to a permission profile.
    * **Tags**: All systems flagged with the same tag.
    * **Group and Tag**: All systems within a given group AND flagged by the same tag.
  * **User profiles**: are used to associate a single user to one or several authorization profiles. This will define what the user will see and what he can modify.
  * A user will only see the systems being associated to permissions profiles associated to his authorization profiles.

==== Redpeaks prior to version 6.7 ====
Be aware that users authorization management elements, workflow and settings prior to Redpeaks 6.7 will be completely obsolete.
All assignments User - User Group and user Groups settings will be lost and not taken into account.
Please adapt all settings made in Redpeaks older versions to the new Authorization policy.     

===== 1 - Permission Profile =====
  * From the Users and Authorization menu, you can manage permission profiles
  * A Permission Profile defines the kind of actions (create, update, delete, assign, etc) that will be granted or denied on following entities:
    * Systems
    * Connectors
    * Monitors
    * SAP Users
  * You can define several profiles according to your needs:

{{..:..:userguide:administration:pasted:20190221-190215.png}}

=== Creating a Permission Profile : ===

{{:products:promonitor:6.7:userguide:administration:pasted:20190614-153748.png}}


  * Enter a unique profile name
  * Define permissions for each entity:
    * **Systems/Connectors**: Actions on systems and connector profiles
    * **SAP users**: Actions on SAP users profiles
    * **Profiles**: Define if the profile allows to assign monitoring profiles to connectors
    * **Monitors**: Set permissions allowing to edit a monitoring configuration (monitors) associated to a connector
    * **Reports**: Allow or deny permission to View (then Download), Delete and manually send by email Redpeaks Reports 
  * **To allow read only access**, simply create a profile without any checkbox active.

===== 2 - Authorization Profile =====
  * An Authorization Profile establishes on which the Redpeaks elements a given number of different Permission Profiles will apply.
  * It gives the possibility to Administrators to grant or deny users to access to this Redpeaks features :
    * Create, Update and Delete Profiles : These settings will allow users to perform actions on Profiles **not yet assigned to systems connectors** 
    * View Change tracking : Allows or denies users to access to the "Change tracking" history feature.  
    * **Notice that settings listed above will be effective**
  * About visibility : **Notice that the simple fact of assigning ANY Permission Profile to a given Group (Company) within an Authorization Profile will make this Group visible (displayed) in Redpeaks console of the users affected  by the Authorization Profile **  
  * To access Authorization Profile management : Administrator Settings -> Users and Authorizations  -> Authorization profiles
  
{{:products:promonitor:6.7:userguide:administration:pasted:20190305-141046.png}}

\\ 
==== Creating an Authorization Profile : ====

{{.:..:..:userguide:administration:pasted:20190305-141658.png}}
 
  * **Enter a unique profile name** (be aware that Redpeaks will check that the name is unique when saving the profile).
  * **Check the global actions that are going to be granted on monitoring Profiles (Create, Update, Delete)** 
    * Notice that this will allow or deny a user to change profiles monitors settings **globally**
    * Only Profiles that have not been assigned yet to a connector will be affected    
  * **Check/uncheck View change tracking**
    * This action will allow  or not a user to see all Redpeaks Changes tracking records
\\ 
==== Assigning Permission Profiles on Groups (Companies) and/or Tags to an Authorization Profile : ====
  * Redpeaks Administrators can assign multiple Permission Profiles to a single Authorization profile.
  * In the same operation, each Permission Profile can be applied to one or more Groups (Companies) and/or to one or more Tags.
  * In the example here below, Redpeaks Administrator will create an Authorization profile named "FullAccessOnCompanyAandCompanyBTagDev" and will assign to it the Permission profile named "FullAccess" previuosly created. 
  * This "FullAccess" Permission profile will be granted to all Systems of Company "CompanyA" and only to Systems tagged with Tag "DEV" belonging to "CompanyB"
    
{{.:..:..:userguide:administration:pasted:20190305-142430.png}}

  * Click on "Assign"
  * In the same line, three dropdown lists will be displayed : Permission profile, Group (Company) and Tag. A button "Add" is also displayed
  * In the example above illustrated :
    * Select Permission profile "fullAccess"
    * Select Group "CompanyA"
    * Select NO Tags
    * Click on "Add" (the corresponding row will be now displayed on the screen)
    * Select Permission profile "fullAccess"
    * Select Group "CompanyB"
    * Select Tag "DEV"
    * Click on "Add" (the corresponding row will be now displayed on the screen)
    * Click on Save
    * **ATTENTION : If you are creating the Authorization profile and at the same time assigning Permission profiles remember to
    *  click on Save to save all assignations 
      * and then to click on Save to save  data entered for the creation of the Authorization profile itself** 

\\ 
==== Establishing permission priorities within the same Authorization profile: ====
  * Redpeaks gives Administrators the possibility to establish priorities concerning the order on which all permissions will apply to ProMonitor elements (Systems, Connectors, etc) 
  * To modify permission priorities, edit the Authorization Profile and use the arrows of each assignation (see image below) 

{{.:..:..:userguide:administration:pasted:20190305-144409.png}}

\\ 
===== 3 - Assigning Authorization Profiles to Redpeaks users : =====  
  * Administrator have the possibility to assign one or more Authorization Profiles to a ProMonitor user.
  * To access Redpeaks Users management : Administrator Settings -> Users and Authorizations -> Users  
  * Click on the Edit icon corresponding to the User you want to modify
  * Select one Authorization Profile
  * Add, Save 

{{.:..:..:userguide:administration:pasted:20190305-152817.png}}


\\ 
===== 4 - Practical examples =====
**Find here below some examples illustrated step by step :**
  * **[[.:..:..:userguide:administration:authorizations:example1| Granting read-only rights on only one company ]]**\\ 
  * **[[.:..:..:userguide:administration:authorizations:example2| Allowing full access on two companies]]**\\ 
  * **[[.:..:..:userguide:administration:authorizations:example3| Granting read-only rights on two companies and create/update on another company]]**\\ 
  * **[[.:..:..:userguide:administration:authorizations:example4| Different access types depending on companies and system tags]]**\\