Skip to main content

Access Management

This page explains the controls that VIKTOR has to manage access to data and logic. These are divided in three categories: environment, workspace and app. The difference between workspaces and apps is explained here.

Environment access

Access to the environment can be setup in two ways:

  • login with username and password
  • Single Sign-On (for more info see this page)

Environment rights

Each user has two access attributes that determine the role they have. The possible combinations, together with their name are listed below. The matrix with their permissions is shown below.

Access levelDeveloper accessRole
UserInternal user
UserInternal developer*
AdminAdmin user
AdminAdmin developer*
External userExternal user
External userExternal developer*

* Developer access is an addition on top of normal user access

external userexternal developerinternal userinternal developeradmin useradmin developer
invite users to organizationnnnnyy
edit users on organizationnnnnyy
remove usersnnnnyy
create workspacennnnyy
edit workspacennnnyy
archive workspacennnnyy
manage users in workspaceif workspace adminif workspace adminif workspace adminif workspace adminyy
access private workspacewhen invitedwhen invitedwhen invitedwhen invitedyy
access internal workspacennyyyy
access public workspaceyyyyyy
list and modify workersnnnnyy
see appsnynyyy
create appnynyyy
publish app versionnif maintainernif maintainerny

Besides rights on the environment, there are more granular controls on workspaces and apps.

Workspace access

Access to the workspace is managed by setting the visibility of the workspace:

  • private: invited users see the workspace and have access
  • internal: everyone inside the company (excluding external users) can see and access the workspace
  • public: everyone can access the workspace using the URL (also people not logged in)

Workspace rights

By default users have "Read - All" rights if they can access the workspace, but more detailed rights can be configured by defining usergroups. The possibible permissions per object type are:

categorydetailexplanation
ReadNavigateMinimum (navigation) access, excluding summary info and excluding editor access
ReadBasicMakes an object and its summary information accessible to a user, not including the editor
ReadAllGives access to all object information including the editor
WriteCreateAllows the user to create an object
WriteUpdateAllows the user to update an object
WriteRenameAllows the user to rename an object
DeleteAllows the user to delete an object

Workspace admin

The administration of a workspace can be delegated to a specified "Workspace admin", which is assigned from the users on the workspace.

This workspace admin can:

  • invite users (in the case of private workspace)
  • set access levels for the users
  • assign other workspace admins

App accesss

Apps are not accessed by users, users access workspaces (see this explanation). The apps only contain the logic, without data and no users.

Only developers (internal, external, admin) and admin users can see the apps and create them. Developers are automatically assigned as the first maintainer on the app.

App rights

Only app maintainers can publish new versions of an app. They are treated as being allowed to have access to the code. This means that error reports (with tracebacks containing code) are available to them.

App maintainers are not allowed to create workspaces. They can use their development workspace when developing, but need explicit access to relevant workspaces to get access to production data.