Skip to content

Understanding Case Access Control

Access modes

Access to cases is by default roleBased, meaning that users with rolebased access to the customer and service of the case, has access to it. There are different roles for read and write access, and a separate role for "tech users", generally meaning users representing the service provider.

A case can be given restricted access mode, meaning that access to customer users are explicit, and not role-based. Tech users will still have normal access to the case. This use case is for cases which are handled by the service provider as normal, but which are sensitive for the customer.

The explicit access mode means that only users/user groups which are on the explicit access list have access to the case. This also applies to tech users.

Note

System administrators may still access the case without explicit access.

The explicit access list may also extend normal role based access, by giving explicit users/user groups access to a case, which do not have role based access to the case at all.

Access levels

For each individual case, a user may be granted one of the following access levels, depending on role-based and/or explicit access settings:

  • Read privileges - permits fetching all case details
  • Write privileges - Read privileges - updating case priority, status, reference, category, assignedUser - adding comments - adding/removing tags, links and attachments.
  • Owner privileges - Write privileges - changing access mode - granting/revoking access - changing the reporter of a case (implicit owner) - changing subject and description on the case - changing watcher settings for other users

This table maps out which users get these roles:

Access Mode Read Access Write Access Owner Access
roleBased Case reporter
Users with service read role
All ACL members		 Case reporter
Users with service write role
ACL members with accesslevel write		 Case reporter
Administrators
writeRestricted Case reporter
Users with service read role
All ACL members		 Case reporter
Users with service tech role
ACL members with accesslevel write		 Case reporter
Administrators
readRestricted Case reporter
Users with service tech role
All ACL members		 Case reporter
Users with service tech role
ACL members with accesslevel write		 Case reporter
Administrators
explicit Case reporter
All ACL members		 Case reporter
Users with service tech role
ACL members with accesslevel write		 Case reporter
Administrators

Access roles

In addition to access levels, there are also a set of access roles: user, tech and admin.

User role
All users with read and/or write access to a case, assume the "user" role.
Tech role

Users with the role "tech" have additional privileges, which ordinary users do not:

  • update restricted fields
  • view or create internal comments
  • update case workflows
  • create an "unpublished" case, which are not visible to non-tech users
  • publish an "unpublished" case
  • change watcher settings for other users.
  • delete comments and see deleted objects

Any change to the case also requires access level "write". A tech user with only "read" access level, can only view additional information.

Admin role
Users with the admin role have additional privileges, which users and techs do not - assume "owner" role for the case, allowing override of case access settings and explicit access grants. - users with "admin" role always have full write access level (implied by "owner"), as well as "tech" role.

Determining access level and role

To see which access level the current user has on a particular case, each case contains a field currentUserAccess:

1
2
3
4
5
6
{
  "currentUserAccess": {
    "level": "write",
    "role": "user"
  }
}
  • The field level may return read, write or owner. Write implies read. Owner implies both read and write. - If the user has no read access, the case will not be returned from the API
  • The field role may return user, tech or admin. Tech implies user. Admin implies both tech and user.

Changing case access mode

Note

Changing the access mode requires access level owner.

To change the access mode of a case, use the access PUT endpoint:

1
2
3
curl -X PUT -H "Argus-API-Key: my/api/key" -H "Content-Type: application/json"  https://api.mnemonic.no/cases/v2/case/123456/access -d '{
  "accessMode": "readRestricted"
}'

Granting case access

Note

Granting case access requires access level owner.

To grant access to a case for a user or user group, POST to the access endpoint with the subjectID of the user or group. The level parameter will determine the level of access granted to that user or group.

1
2
3
4
curl -X POST -H "Argus-API-Key: my/api/key" -H "Content-Type: application/json"  https://api.mnemonic.no/cases/v2/case/123456/access -d '{
  "subjectID": <userID>,
  "level": "read"
}'

List case access

Depending on the case accessMode, different users have role-based access to the case, according to the table above. Use the Get case endpoint to see the accessMode of a case.

Explicit access granted to single users or user groups can be listed using the access endpoint:

1
curl -H "Argus-API-Key: my/api/key" https://api.mnemonic.no/cases/v2/case/123456/access

Revoking case access

Note

Revoking case access requires access level owner.

To revoke access from a user on the case ACL, use the DELETE access endpoint with the ID of the ACL entry to delete:

1
curl -X DELETE -H "Argus-API-Key: my/api/key" https://api.mnemonic.no/cases/v2/case/123456/access/c2134bd3-9d88-4d6c-a395-d8d2241b4cbd

Warning

Users with role based access to a case cannot be explicitly revoked. To limit users with role based access from accessing a case, you need to change to a stricter accessMode on the case.