Permission can be divided into two parts: namely (i) static permissions and (ii) dynamic restrictions.
(i) Static permissions are permissions that are loaded once the user logs into the system and are next applied on each REST call that user makes on ISS/CPQ.
(ii) Dynamic restrictions are on the granted permissions. So, for example if a user has a DeleteQuotePermission he or she can be restricted in performing this operation by using a restriction. Which is evaluated at run time.
Static permission can be defined on Role level. Restrictions (Restriction Rules) can be defined either on a User level or on User Role level. Each restriction is defined on a specific permission. Each condition has business type on which the restriction will work. For 1608 release the supported business types for restrictions are Quote and Sales Item.
For 1811 release, all available permissions are defined in Application-schema as follows:
- Create Permission (CREATEPERMISSION)
- Create Quote Permission (CREATEQUOTEPERMISSION)
- Create Sales Item Permission (CREATELINEITEMPERMISSION)
- Create Account Permission (CREATEACCOUNTPERMISSION)
- Create Opportunity Permission (CREATEOPPORTUNITYPERMISSION)
- Update Permission (UPDATEPERMISSION)
- Update Quote Permission (UPDATEQUOTEPERMISSION)
- Update Quote Status Permission (UPDATEQUOTESTATUSPERMISSION)
- Update Sales Item Permission (UPDATELINEITEMPERMISSION)
- Update Account Permission (UPDATEACCOUNTPERMISSION)
- Update Opportunity Permission (UPDATEOPPORTUNITYPERMISSION)
- Read Permission (READPERMISSION)
- Delete Permission (DELETEPERMISSION)
- Delete Quote Permission (DELETEQUOTEPERMISSION)
- Delete Sales Item Permission (DELETELINEITEMPERMISSION)
- Delete Account Permission (DELETEACCOUNTPERMISSION)
- Delete Opportunity Permission (DELETEOPPORTUNITYPERMISSION)
- Flint Permission (FLINTPERMISSION)
- Admin Permission (ADMINPERMISSION)
- All Permission (ALLPERMISSION)
If a user gets a Higher-level permission E.g. CREATEPERMISSION --Level 2, he/she gets the permission to Create: Account, Quote etc., however if he possesses only (Level 1 permissions) E.g.CREATELINEITEMPERMISSION he/she can only create that object and not objects such as Account or Quote.
Permissions are checked in each REST/Service call. However, restrictions are evaluated for Specific Operations only. For 1608 release these being:
- Quote deletion
- Quote update
- Quote status update (workflow/approval actions)
- Sales Item
- Sales Item deletion
The restriction concept can further be applied in other cases and need be with prior requirement analysis.
For example: Based on one or more dynamic attribute value another dynamic attribute value can be assigned, or another dynamic attribute can be made hidden or read only.
Similarly using a recommendation trigger, one can suggest to user additional products can be sold as up/cross selling potential.