`

Change in Role Assignment Logic to Competence-Based Assignment

The primary reason for shifting from role-based assignment to competence-based assignment in Team assistant (TAS) is that roles in TAS are often generated automatically. Assigning these roles manually by an administrator, whether in TAS or Microsoft Active Directory (MS AD), is inefficient. Using competences significantly reduces administrator intervention in role visibility assignments and standardizes permission allocation for users in identical job positions.

Learn more about competences

Competence-Based Logic

The competence system is structured around "role groups," which are categorized under a specific competence. A role group can be defined either statically or dynamically using regular expressions. Ideally, each standard user is assigned a single competence, which configures all visibility, access, and other necessary permissions.

Competence-based assignment does not restrict exceptions where specific users require additional roles. The system retains records of how roles were assigned, ensuring that manually assigned roles remain even if competence-based roles are removed. If a role is manually assigned and is also part of a competence group, it will persist after the competence is revoked.

MS AD Synchronization

TAS allows synchronization with MS AD based on "Competence Rules." This feature is particularly useful in holding structures, where simple rules can automate competence generation from MS AD rules. If a competence is found in MS AD with syntax matching TAS rules, a corresponding set of competences is generated, which governs role assignment.

Example Usage

Scenario: Samantha Allen works at company XXX as the head of the Logistics department (Cost Center 001).

Assigned competence in MS AD:

  • TAS Users - XXX - GC - Cost Center 001 (MG)
    • TAS Users - Standard prefix for department groups in MS AD
    • XXX - Company abbreviation (numeric or alphabetic, not necessarily matching TAS role abbreviations)
    • GC - General competence identifier
    • Cost Center 001 - Department identifier
    • (MG) - Manager designation

Permissions granted by this single competence assignment:

  • Ability to create purchase orders for company XXX
  • Ability to create public/private contracts for company XXX
  • Visibility into all overviews for company XXX
  • Visibility into all purchase order cases for company XXX and Cost Center 001
  • Visibility into all invoice cases for company XXX and Cost Center 001
  • Visibility into all public and private contracts for company XXX and Cost Center 001
  • Approval authority for purchase orders at Level 3 (or Level 4 if divisional directors are used)
  • Approval authority for contracts at company XXX and Cost Center 001
  • Capability to be a contract guarantor for company XXX

Steps for Transitioning from Roles to Competences

  1. Client: Provide Neit with a list of all roles used in MS AD.
  2. Neit: Analyze role usage and transform them into competences.
  3. Neit: Create competence rules in TAS.
  4. Neit: Modify current TAS production synchronization to ignore groups following the TAS Users - ??? - GC - *pattern.
  5. Client: Create competence groups in MS AD.
  6. Client: Assign competences to individual users.
  7. Neit: Move competence-based approval templates to TAS TEST.
  8. Neit/Client: Test user synchronization in the TEST environment.
  9. Client: Verify assigned permissions in the TEST environment.
  10. Client: Inform users about changes in permission assignments and the likelihood of modifications to their current permissions.
  11. Neit: Backup user-role assignment and approval tables in TAS PROD.
  12. Neit: Disable the previous user synchronization process.
  13. Neit: Move competence-based approval templates to TAS PROD.
  14. Client: Remove old groups from users in MS AD.
  15. Neit/Client: Execute synchronization in TAS PROD.
  16. Neit/Client: Validate assigned roles/competences in TAS PROD.
  17. Neit/Client: Maintain increased monitoring for 5-10 business days for any competence adjustments.

Pre-Implementation Requirements

  • TAS must be updated to version 4.11 or higher.
  • The CompetenceGeneratorCron.js script must be used.

Regular Expression Filtering for Competences

Competence filtering is possible via database regex. Examples:

  • %% - Displays all roles
  • %a%a% - Assigns all roles
  • %e%t%[0-9] - Matches roles containing 'e' and 't' and ending in a digit

Competences defined via regex are generated daily, and users are automatically assigned matching roles upon cron execution.

Administrator Access

The $Administrator role has access to all competences.

Anna Gernát Updated by Anna Gernát

Competences

Contact

Syca (opens in a new tab)

Powered by HelpDocs (opens in a new tab)