`

Competences

This document provides an overview of the Competences feature in TAS. It explains what competences are, how they work, and how to configure them. It also serves as a handbook for local administrators and support specialists, enabling them to manage competences independently without vendor assistance.

The primary goal of competences is to simplify and operationalize the maintenance of user authorizations. This feature ensures that authorizations are managed from a single source of truth, which in this case is the Active Directory (AD).

Overview

Team Assistant is a business process management tool that handles financial and back-office processes. Managing user rights and authorizations in such a system can be complex. Traditionally, user roles are assigned directly, but large-scale processes require a vast number of roles, making maintenance challenging.

Why Use Competences?

  • Competences group multiple roles into a single logical entity, making it easier to assign and manage access.
  • Unlike roles, competences reflect business roles (e.g., Accountant, CEO, CFO) rather than technical functions.
  • Competences do not replace roles; they coexist, offering a more structured way to manage permissions.
  • The system tracks the source of role assignments, visible in the administrator GUI.
  • Competences can be manually assigned or synchronized with Active Directory, reducing manual maintenance efforts.

Architecture

Competences in TAS can be linked to Active Directory (AD) groups, allowing automated role assignments based on AD group membership. The diagram below illustrates this architecture:

Configuration

Active Directory Interface Configuration

For competences purposes, already existing interface with AD is used

To enable competences from AD:

  1. Navigate to https://domain.com/administration/authentication.
  2. Set the attribute “useCompetenceRules” to true.
  3. Configure “adUserMiddleware” to allow programmatic modifications before matching AD data with competences.
  4. The processed data is then evaluated using Competence Rules.

Rules Configuration

Competence rules act as a middleware between AD and competences. When the AD interface script runs, it:

  • Compares user groups with competence rules.
  • If a match is found, it either creates a new competence or adds the user to an existing competence.
Key Features of Competence Rules
  • Competence rules are located at https://domain.com/roles/competence-rules.
  • The most important field is the Regular Expression field, which defines the matching pattern for AD groups.
  • Using regular expressions simplifies competence creation and maintenance.
  • One competence rule can generate multiple competences (e.g., a CEO rule can create CEO competences for multiple entities).
  • Competence rules can also assign roles dynamically using regular expressions.
Example: Regular Expression-Based Competence Assignment
  • The expression "$1" represents an entity abbreviation (e.g., TAS Users - BDC ALL Users).
  • Regular expressions are optional but highly beneficial.
  • Competence rules are executed daily via the AdSyncCron.js job.
Competence rule can use regexes A(.) and its matches (A$1). The rule can be validated by "use" button. It will create that competence. So you can test AD group names before setting up AD connection.

Managing Competences

Competences are accessible at https://domain.com/roles/competences.

Competences from Competence Rules
  • Cannot be manually modified; changes must be made via the corresponding Competence Rule.
  • Displayed in read-only mode.
  • Show assigned users and roles.
  • If roles were assigned dynamically using regex, they are listed under the Regular Expressions tab.
Manually Created Competences
  • Users and roles must be assigned manually.
  • Roles can be assigned statically or dynamically using regex.
  • Recommended when no IAM tool is integrated.
  • Managed via the CompetenceGeneratorCron.js (can be found under Administration > Crons) job, executed daily.

Tips & Best Practices

Managing competences can be complex at first. Here are some useful tips:

  • Verify authentication settings:
  • Leverage Regular Expressions:
    • They simplify competence and role assignments.
    • Test your expressions using tools like https://regex101.com/.
  • Review Competences & Roles in GUI:
    • Tabs for Roles, Competences, and Competence Rules are available in the Roles GUI.
    • Check assigned roles in competences, even when regex is used.
  • Classic Role Assignment is Still Possible:
    • If needed, roles can still be assigned manually.
  • User GUI Enhancements:
    • Tabs added under /users/user for easy competence and role management.
    • /users/user/{user_id}/roles displays the source of role assignments.
    • /users/user/{user_id}/competences shows assigned competences.
    • The “Detail” button redirects to specific roles or competences for troubleshooting.
    • Competences can be modified or deleted via the Status section in the GUI.

Change in Role Assignment Logic to Competence-Based Assignment

Learn more here

Anna Gernát Updated by Anna Gernát

Change in Role Assignment Logic to Competence-Based Assignment

Contact

Syca (opens in a new tab)

Powered by HelpDocs (opens in a new tab)