User Profile Permissions

  I have 3 levels of permissions in my app:    Admin Facilities Leadership Team (Management) User    Each person has a manager assigned. In each person’s user profile, I want to do the following:  Only allow the user to open the full user profile detail that includes all active projects, tasks and issues assigned to them  Only allow the user and their assigned manager to see the a page called “My 1:1” which is agenda items for a meeting that occurs between the user and their manager – I want the manager to be able to add agenda items and view the agenda as well as the user but that is it.  How do I create these permissions? Is it in a microflow? if so, what would that microflow look like?    The entity I have set up around all users is:  User Profile and the attribute I’m trying to use in the microflow is “username” so if current user = username or current user = user manager username then allow them to see it. But I don’t know how to actually write that xpath, microflow, etc. or if that’s even how I should be doing it. 
1 answers

To make sure a user can access the data for the 1;1 for example I would create the 1:1 as an object associated with the user object. Then use entity access XPath constraints on the 1:1 object for the user like:

[<the association to the user> = currentuser]

This will allow only the role user to view that information based on the XPath and the read/write settings.

For the manager, the user would be related to a manager which in turn is a user you could setup the XPath for the 1:1 object access rule like:

[<associated to the user>/user/<association to the manager> = currentuser]

In this case if the user has the manager role he will only be allowed to access the data for the users that he is a manager for.

Be aware that the XPath constraints are pseudocode, but using the options in the entity access XPath tab (path to user) will make it clear what the real XPath should be. By using XPath in the access rules you’ll make sure that in any situation the data is only available to the specific user role. See for more details on access rules and xpath.