Nexeed
    • Introduction
    • User manual
      • General Descriptions
        • Fine-Grained Access Control
      • Ticket Management
        • Filter options
        • Ticket details
        • Ticket Archiving
        • Ticket Anonymization
      • Maintenance Status Widget
    • API documentation
Ticket Management
  • Industrial Application System
  • Core Services
    • Block Management
    • Deviation Processor
    • ID Builder
    • Multitenant Access Control
    • Notification Service
    • Ticket Management
    • Web Portal
  • Shopfloor Management
    • Andon Live
    • Global Production Overview
    • KPI Reporting
    • Operational Routines
    • Shift Book
    • Shopfloor Management Administration
  • Product & Quality
    • Product Setup Management
    • Part Traceability
    • Process Quality
    • Setup Specs
  • Execution
    • Line Control
    • Material Management
    • Order Management
    • Packaging Control
    • Rework Control
  • Intralogistics
    • AGV Control Center
    • Stock Management
    • Transport Management
  • Machine & Equipment
    • Condition Monitoring
    • Device Portal
    • Maintenance Management
    • Tool Management
  • Enterprise & Shopfloor Integration
    • Archiving Bridge
    • Data Publisher
    • Direct Data Link
    • Engineering UI
    • ERP Connectivity
    • Gateway
    • Information Router
    • Master Data Management
    • Orchestrator

Nexeed Learning Portal
  • Ticket Management
  • User manual
  • General Descriptions
  • Fine-Grained Access Control

Fine-Grained Access Control

The integration of the fine-grained access control list (ACL) enables fine-grained permission control of accessing tickets related to different facility levels.

Dynamic Resources for Facilities

By default, dynamic resources are automatically registered by Ticket Management for the Production Area facility level in Multitenant Access Control module. It can also be configured to have fine-grained access based on any other levels, e.g. on Production Area and Production Line facility levels. For each facility of the configured facility levels, two resources will be registered, one for "Own Tickets" and one for "Other Tickets".

The term Own Tickets means

  • either the ticket is assigned to the user

  • or the ticket is unassigned, having a resolving group, to which the user belongs

  • or the ticket is escalated to an escalation group, to which the user belongs

The term Other Tickets means

  • either the ticket is assigned to another user

  • or the ticket is unassigned, having a resolving group, to which the user does not belong to

  • or the ticket is escalated to an escalation group, to which the user does not belong to

Example

tm_resource_acl_default

In this example, 12 resources are registered in the Multitenant Access Control module:

  • Own Tickets and Other Tickets related with area Fe2.1

  • Own Tickets and Other Tickets related with area Fe2.2

  • Own Tickets and Other Tickets related with line Fe2.1

  • Own Tickets and Other Tickets related with line Fe2.2

  • Own Tickets and Other Tickets related with line Fe2.3 (including sub-facilities like Station Fe2.1, Fe2.2, Fe2.3)

  • Own Tickets and Other Tickets related with line Fe2.4 (including sub-facility Station Fe2.4)

When a facility ( e.g. Production Area) is added/delete/changed in Master Data Management, dynamic resources related with this facility are registered/deleted/updated automatically by Ticket Management in Multitenant Access Control.

The access permissions are not inherited within the configured facility levels. For facility levels for which no fine-grained access control is required, access permissions are inherited from the lowest facility level configured for fine-grained access.

In the example above, that means no inheritance of permission from the Production Areas to the Production Lines within. For the Stations the permissions are inherited from the Production Lines.

Create organization role

Organization roles have to be manually created in the Multitenant Access Control module and assigned to users or user groups for fine-grained access control on tickets related to the configured facility levels.

Prerequisites

  • Permission to create facility in Master Data Management

  • Permission to create organization roles in Multitenant Access Control

Procedure

  1. Add facility ( Add Equipment ) e.g. Area A

    Dynamic resources for controlling access to tickets related to this facility are created automatically: Dynamic Resources for Facilities

  2. Create an organizational role ( Adding a Role ), e.g. Area A Admin

    • Assign the privileges (create, read, edit) on the resources Area A — Own tickets and Area A — Other tickets

  3. Assign the organizational role Area A Admin to a user or group ( Assigning a User to a Role ).

The user with role Area A Admin can read, create and modify any tickets related to Area A, no matter whether they are Own Tickets or Other Tickets

Example of organization roles to grant the fine-grained access control

The example is intended to show how fine-grained ACL-based authorization can be configured in Ticket management. The organizational roles shown must be created manually: Create role for facility.

Area A User

  • Authorizations: Create, read, edit privilege on Area A — Own tickets

  • Rights of Area A User :

    • Can only create, read and work on Own tickets which are connected to Area A or its subordinate facilities

      • Can upload, download and delete attachments to those tickets

    • Cannot create, read or modify tickets with facilities which are not connected to Area A

    • Cannot create, read or modify tickets connected to Area A, but are Other tickets

    • Cannot create, read or modify tickets without facility

Area A Admin

  • Authorizations: Create, read, edit privilege on Area A — Own tickets and Area A — Other tickets

  • Rights of Area A admin :

    • Can create, read and work on tickets which are connected to Area A or its subordinate facilities, no matter whether those are Own tickets or Other tickets

      • Can upload, download and delete attachments to those tickets

    • Cannot create, read or modify tickets with facilities which are not connected to Area A

    • Cannot create, read or modify tickets without facility

Area A Expert

  • Authorizations: Create, read, edit privilege on Area A — Own tickets

  • Authorizations: Create, read privilege on Area A — Other tickets

  • Rights of Area A Expert :

    • Can create, read and work on Own tickets which are connected to Area A or its subordinate facilities

      • Can upload, download and delete attachments to those Own tickets

    • Can only create and read Other tickets which are connected to Area A or its subordinate facilities, but not modify them

      • Can only download attachments to those Other tickets, but not upload or delete them

    • Cannot create, read or modify tickets with facilities which are not connected to Area A

    • Cannot create, read or modify tickets without facility

Area A, B, C Admin

  • Authorizations: Create, read, edit privilege on Area A — Own tickets

  • Authorizations: Create, read, edit privilege on Area A — Other tickets

  • Authorizations: Create, read, edit privilege on Area B — Own tickets

  • Authorizations: Create, read, edit privilege on Area B — Other tickets

  • Authorizations: Create, read, edit privilege on Area C — Own tickets

  • Authorizations: Create, read, edit privilege on Area C — Other tickets

  • Rights of Area A, B, C Admin :

    • Can create, read and work on tickets which are connected to Area A, B and C or their subordinate facilities, no matter whether those are Own tickets or Other tickets

      • Can upload, download and delete attachments to those tickets

    • Cannot create, read or modify tickets with facilities which are not connected to Area A, B or C

    • Cannot create, read or modify tickets without facility

Area A Admin, B User & C Expert

  • Authorizations: Create, read, edit privilege on Area A — Own tickets

  • Authorizations: Create, read, edit privilege on Area A — Other tickets

  • Authorizations: Create, read, edit privilege on Area B — Own tickets

  • Authorizations: Create, read, edit privilege on Area C — Own tickets

  • Authorizations: Create, read privilege on Area C — Other tickets

  • Rights of Area A Admin, B User & C Expert :

    • Can create, read and work on tickets which are connected to Area A or their subordinate facilities, no matter whether those are Own tickets or Other tickets

      • Can upload, download and delete attachments to those tickets

    • Can create, read and work on Own tickets which are connected to Area B or their subordinate facilities

      • Can upload, download and delete attachments to those tickets

    • Cannot create, read or work on Other tickets which are connected to Area B or their subordinate facilities

    • Can create, read and work on Own tickets which are connected to Area C or their subordinate facilities

      • Can upload, download and delete attachments to those tickets

    • Can create and read Other tickets which are connected to Area C or their subordinate facilities, but not edit them

      • Can download attachments of those tickets, but not upload or download attachments from/to them

    • Cannot create, read or modify tickets with facilities which are not connected to Area A, B or C

    • Cannot create, read or modify tickets without facility

Contents

© Robert Bosch Manufacturing Solutions GmbH 2023-2025, all rights reserved

Changelog Corporate information Legal notice Data protection notice Third party licenses