Authorization

This section details how to configure the permissions granted to an account, either directly or through a configured role.

Prerequisites

According to the context, you might need to set up:

How to add an authorization manually or from a certificate

1. Log in to Horizon Administration Interface.

2. Access Authorizations from the drawer or card: Security  Access Management  Authorizations.

3. Click on Grant authorization.

4. Click on Add Authorization Manually

5. Fill the mandatory fields.

  • Either:

    • Fill in an Identifier* (string input or import):
      Enter a meaningful identifier. It can be either a local account identifier or an OpenID Connect identifier (usually email address).

    • Import a certificate by clicking on certificate button Grant authorization.

  • Contact email (string input):
    Enter the contact email for the account.

6. Click on add button.

How to add an authorization from a search

1. Log in to Horizon Administration Interface.

2. Access Authorizations from the drawer or card: Security  Access Management  Authorizations.

3. Click on Grant authorization.

4. Click on Search and Add Authorization

5. Fill one of the fields.

  • Identifier* (string input):
    Enter the identifier of the account to look for.

  • Email* (string input):
    Enter the email of the account to look for.

6. Click on search button.

7. Choose the identifier you want to add.

8. Click on add button.

You can update Edit Authorization or delete Delete Authorization Authorization.

How to grant a permission

1. Click on Grant authorization.

Role

2. Select a role previously created (if needed).

Team

3. Select a team previously created (if needed).

Configuration

You can build here a configuration permission. The permission follows the pattern: Section / Module / Right.

4. Click on add button.

5. Select a section, then a module, then a submodule if there is, and a right.

6. Click on add button (Don’t forget to save).

7. Click on the save button if you are done.

Lifecycle

You can build here a lifecycle permission. The permission follows the pattern: Module / Profile / Right. You can further restrict the permission by adding a filter from the "Horizon Permission Query Language".

4. Click on add button.

5. Select a module, then a profile, and a right.

6. Click on add button. (don’t forget to save).

7. Click on the save button if you are done.

Horizon requests lifecycle:

Schema 1

HPQL

The Horizon Permission Query Language allows you to restrict lifecycle permissions on labels and team.

The following keywords are available:

Name

Value

x equals y

true if x 's value equals y

x contains y

true if x 's value contains y

x in y

true if x 's value is contained in y (array)

x matches y

true if x 's value matches y (regex)

x within y

true if x 's value matches a value in y (regex array)

These can be combined with the following keywords:

Name

Value

x and y

true if x and y are true

x or y

true if x or y are true

x not expression y

true if x expression y is false
Examples

To filter on the myLabel label:

label.myLabel equals "labelValue"
    => myLabel: label = false
    => myLabel: labelValue =  true
label.myLabel contains "label"
    => myLabel: label = true
    => myLabel: labelValue =  true
label.myLabel within [ "\d+", "other\d?Value" ]
    => myLabel: 12345 = true
    => myLabel: otherValue =  true

To filter on the team:

team matches "team[A-Z]"
    => team: teamA = true
    => team: bestTeam =  false
team in ["teamA", "teamB"]
    => team: teamA = true
    => team: bestTeam =  false

Discovery

You can build here a discovery permission. The permission follows the pattern: Module / Discovery campaign name / Right.

4. Click on add button.

5. Select a module, then a campaign, and a right.

6. Click on add button. (don’t forget to save)

7. Click on the save button if you are done.