Skip to content

User groups and Permissions

VOR Stream provides administrators with the ability to create user groups to represent specific user roles.

Administrators can create user groups, configure group permissions and assign users to groups using the VOR Workbench Administration UI.

Navigate to the VOR Workbench and log in using your chosen auth provider.

Once authenticated, Staff users will see a link to the Administration UI on the bottom of the navigation bar.

Administration Screen Location - Light Theme Administration Screen Location - Dark Theme

Info

Only "staff" users may access the Administration UI. In some cases, certain auth provider groups may be bound to the staff role. If no user possesses the "staff" role, see Creating a Staff Account for instructions on creating one via the CLI. Administration Staff Status - Light Theme Administration Staff Status - Dark Theme

Creating User Groups

User groups may represent a specific role or a business unit.

Users can belong to multiple groups.

To create a new user group, click the "Add group" button in the Groups section:

Administration Add Group - Light Theme Administration Add Group - Dark Theme

This opens the group creation form:

Administration Edit Group - Light Theme Administration Edit Group - Dark Theme

  1. Enter a name for your new group. This name will be displayed on the UI for the users as well as on the CLI.
  2. Add permissions to the group by double-clicking them in the "Available Permissions" box. Once double-clicked, the permission will move from "Available Permissions" to "Chosen Permissions"
  3. Once you have selected all the required permissions, press the save button.

Tip

You can filter the available permissions using the search bar. Press CTRL+A to select all the filtered results and then press the right arrow in between the two boxes to easily add all permissions related to a specific risk object

Warning

The default VOR-prefixed user groups that come packaged with VOR Stream will be overridden (reset to defaults) when VOR Stream is upgraded to a newer version. If you wish to persist your user groups, please pick a unique name.

Assigning a Group to a Playpen

When a playpen is created, you must assign a group to it. Users who belong to the selected group will be granted access to this playpen on the VOR Workbench.

After running vor create playpen <playpen_path>, you will be prompted to select a group.

create_playpen_group_prompt.png

You can use the arrow keys to navigate the list, and press enter to continue.

You can update the group assignment on existing playpens by typing:

vor update playpen <playpen_path> --group <group_name>

Assigning Users to Groups

Users may be assigned to any number of groups. Users may only access playpens that are assigned a group they belong to.

To change a user's group assignments, navigate to the "Users" section on the VOR Workbench Administration Screen

Administration Change User - Light Theme Administration Change User - Dark Theme

Choose a user from the list by clicking their name.

Administration Add User to Group - Light Theme Administration Add User to Group - Dark Theme

You will notice there are a few options related to permissions.

  • The Active flag indicates whether the user is allowed to log in to the VOR Workbench. When a user no longer requires access to the application, uncheck this box.
  • The Staff Status flag, mentioned above, dictates whether a user can access the Administration Screen.
  • The Superuser Status flag overrides all group assignments, and grants the user all available permissions.

Below this box, you will notice the area where you can add users to groups.

Select groups from the "Available Groups" section and double click to add the user to the selected group.

Once you are done, scroll to the bottom of the page and press "Save"

Important

There is a section where users may be granted individual permissions. The assignments in this section will not be used on the VOR Workbench. This section can be ignored on typical implementations.

If changes are made to a user's permissions while they are logged in to the VOR Workbench, they will need to log out and log in again for the changes to propagate.

Creating Playpen Sub-Groups

In some cases, multiple groups may be required inside one playpen, or a user may require different levels of access in different playpens.

To achieve this, follow the steps outlined below very carefully.

  1. Create a parent group. This group will be assigned to the playpen on the CLI during creation. This group should not have any permissions assigned to it; it simply serves as a placeholder.
  2. Create your playpen, and assign it the group you have just created.
  3. Navigate back to the VOR Administration Screen, create any number of subgroups following this naming convention <parent_group_name>: <subgroup name>. These groups should contain permissions assignments to reflect the role of the subgroup
  4. Assign users to the subgroups, ensure that each user has the intended permissions within the selected playpen, and their permissions in other playpens work as expected.

The final product should resemble the "Example" groups shown in the figure below:

Administration Subgroups - Light Theme Administration Subgroups - Dark Theme

In this example, the "Report User" group only has access to view run results, and the "Superuser" group has permission to use all of the screens.

User Permissions Reference

Each permission name follows a specific schema.

<app name> | <risk object name> | <capability>

Each risk object has CRUD permissions associated with it.

  • Can add <object> The user may create new instances of this object.
  • Can change <object> The user may edit existing instances of this object.
  • Can delete <object> The user may delete existing instances of this object.
  • Can view <object> The user may view existing instances of this object.

Each module (screen) in the VOR Workbench has a permission that grants the user access to it.

  • Access to <module name> The user may navigate to that module on the VOR Workbench.

The chart below outlines what specific object-level permissions are required for the various functions on the VOR Workbench. The following groupings represent two main types of users for each module.

A user who may only view objects on that module, and a user who is responsible for creating, updating and deleting objects.

Quick Reference

Category Module Access Permission Description
Studies Access to Run Study Run studies, view results, waterways
Uploads Access to Uploads Upload scenarios and factors
Models Access to Model Reservoir Manage models and scripts
Frameworks Access to Frameworks Configure frameworks
Methodologies Access to Methodologies Configure methodologies
Filters Access to Filters Manage filters
Data Management Access to Data Management Dashboard Queue management
Configuration Access to Configuration System configuration
Administration Can view the Django administration page Access Django Administration UI (staff only)

Required Permissions

  • The following permissions should be granted to all users.
frg_vor | playpen config | Can view playpen config
frg_vor | patch note | Can view patch note
frg_vor | comment | Can view comment
frg_vor | user | Can view user
frg_vor | user playpen | Can view user playpen
frg_vor | user prefs | Can view user prefs
frg_vor | user prefs | Can add user prefs
frg_vor | user prefs | Can change user prefs
help | on screen help | Can view on screen help
help | risk object help | Can view risk object help
auth | group | Can view group
auth | permission | Can view permission
  • Access to the Django Administration UI (staff users only)
frg_vor | user | Can view the Django administration page

Note

The access_administration permission controls visibility of the Administration link in the navigation bar. Users must also have "Staff status" enabled to access the Administration UI.

  • Access Run Study module
run_study | stream run dim | Access to Run Study
run_study | stream run dim | Access to Results
run_study | stream run dim | Access to Study Status
run_study | stream run dim | Access to Waterways
run_study | stream run dim | Access run study filters
  • Ability to Run Studies and view Run History on Waterways
run_study | stream run dim | Can add stream run dim
run_study | stream run dim | Can change stream run dim
run_study | run log | Can add run log
run_study | run log | Can change run log
run_study | run log | Can delete run log
run_study | run log | Can view run log
study | study | Can view study
study | stream opt set | Can view stream opt set
study | scenario set x scenario | Can view scenario set x scenario
study | scenario set | Can view scenario set
upload | upload | Can view upload
upload | upload type | Can view upload type
configuration | group | Can view group
filter | filter | Can view filter
filter | filter type | Can view filter type
  • View and Run Reports
run_study | stream run dim | Access run study reports
run_study | report types | Can view report types
run_study | report run | Can view report run
run_study | report run | Can add report run
run_study | report run | Can change report run
  • Golden Copy
run_study | stream run dim | Can mark runs as Golden Copy
run_study | stream run dim | Can unmark runs as Golden Copy
  • Download Run Outputs
run_study | stream run dim | Can download run outputs
  • Display Run Study Sipping Option
run_study | stream run dim | Display run study sipping option
  • Add Tags (Tags can be used to filter and group run results.)
frg_vor | tag | Can add tag
frg_vor | tag | Can change tag
frg_vor | tag | Can delete tag
frg_vor | tag | Can view tag
  • Access Build Study module
study | study | Access to Studies
  • View Studies
study | historical scenario set | Can view historical scenario set
study | historical study | Can view historical study
study | scenario set | Can view scenario set
study | scenario set x scenario | Can view scenario set x scenario
study | stream opt set | Can view stream opt set
study | study | Access to Study Archive
study | study | Can view study
scenario | scenario | Can view scenario
methodology | methodology | Can view methodology
  • Create, Edit and Delete Studies
study | historical scenario set | Can add historical scenario set
study | historical scenario set | Can change historical scenario set
study | historical scenario set | Can delete historical scenario set
study | historical scenario set | Can view historical scenario set
study | historical study | Can add historical study
study | historical study | Can change historical study
study | historical study | Can delete historical study
study | historical study | Can view historical study
study | scenario set | Can add scenario set
study | scenario set | Can change scenario set
study | scenario set | Can delete scenario set
study | scenario set | Can view scenario set
study | scenario set x scenario | Can add scenario set x scenario
study | scenario set x scenario | Can change scenario set x scenario
study | scenario set x scenario | Can delete scenario set x scenario
study | scenario set x scenario | Can view scenario set x scenario
study | stream opt set | Can add stream opt set
study | stream opt set | Can change stream opt set
study | stream opt set | Can delete stream opt set
study | stream opt set | Can view stream opt set
study | study | Access to Studies
study | study | Can add study
study | study | Can change study
study | study | Can delete study
study | study | Access to Study Archive
study | study | Can view study
scenario | scenario | Can view scenario
methodology | methodology | Can view methodology
  • Access View Scenarios module and view graphs.
scenario | scenario | Access to Scenario
scenario | scenario | Can view scenario
scenario | factor set | Can view factor set
factors | factor | Can view factor
factors | currency | Can view currency
factors | FX rate | Can view FX rate
factors | volatility factor | Can view volatility factor
factors | transformed factor | Can view transformed factor
factors | transformation | Can view transformation
factors | expression | Can view expression
upload | upload | Can view upload
upload | upload type | Can view upload type
upload | upload type x playpen | Can view upload type x playpen
  • Access to Upload inventory module.
upload | upload | Access to Uploads
upload | upload | Can view upload
upload | upload type | Can view upload type
upload | upload type x playpen | Can view upload type x playpen
  • Ability to upload files and manage upload inventory.
upload | historical upload | Can add historical upload
upload | historical upload | Can change historical upload
upload | historical upload | Can delete historical upload
upload | historical upload | Can view historical upload
upload | upload | Access to Uploads
upload | upload | Can add upload
upload | upload | Can change upload
upload | upload | Can delete upload
upload | upload | Can view upload
upload | upload meta option | Can add upload meta option
upload | upload meta option | Can change upload meta option
upload | upload meta option | Can delete upload meta option
upload | upload meta option | Can view upload meta option
upload | upload meta option fact | Can add upload meta option fact
upload | upload meta option fact | Can change upload meta option fact
upload | upload meta option fact | Can delete upload meta option fact
upload | upload meta option fact | Can view upload meta option fact
upload | upload type | Can add upload type
upload | upload type | Can change upload type
upload | upload type | Can delete upload type
upload | upload type | Can view upload type
upload | upload type x playpen | Can add upload type x playpen
upload | upload type x playpen | Can change upload type x playpen
upload | upload type x playpen | Can delete upload type x playpen
upload | upload type x playpen | Can view upload type x playpen
factors | factor | Can add factor
factors | factor | Can change factor
factors | factor | Can delete factor
factors | factor | Can view factor
factors | currency | Can add currency
factors | currency | Can change currency
factors | currency | Can delete currency
factors | currency | Can view currency
factors | FX rate | Can add FX rate
factors | FX rate | Can change FX rate
factors | FX rate | Can delete FX rate
factors | FX rate | Can view FX rate
factors | volatility factor | Can add volatility factor
factors | volatility factor | Can change volatility factor
factors | volatility factor | Can delete volatility factor
factors | volatility factor | Can view volatility factor
factors | transformation | Can add transformation
factors | transformation | Can change transformation
factors | transformation | Can delete transformation
factors | transformation | Can view transformation
factors | transformed factor | Can add transformed factor
factors | transformed factor | Can change transformed factor
factors | transformed factor | Can delete transformed factor
factors | transformed factor | Can view transformed factor
factors | expression | Can add expression
factors | expression | Can change expression
factors | expression | Can delete expression
factors | expression | Can view expression
scenario | factor set | Can add factor set
scenario | factor set | Can change factor set
scenario | factor set | Can delete factor set
scenario | factor set | Can view factor set
scenario | factor set x factor | Can add factor set x factor
scenario | factor set x factor | Can change factor set x factor
scenario | factor set x factor | Can delete factor set x factor
scenario | factor set x factor | Can view factor set x factor
scenario | historical scenario | Can add historical scenario
scenario | historical scenario | Can change historical scenario
scenario | historical scenario | Can delete historical scenario
scenario | historical scenario | Can view historical scenario
scenario | scenario | Access to Scenario
scenario | scenario | Can add scenario
scenario | scenario | Can change scenario
scenario | scenario | Can delete scenario
scenario | scenario | Can view scenario
  • Ability to approve uploads
upload | upload | Can approve Uploads

Note

Admin/Manager function. Only if "Require Upload Approval" is enabled in the Playpen Configuration

  • Access Model Reservoir
model | model | Access to Model Reservoir
  • View Models
model | model | Can view model
model | parameter map | Can view parameter map
model | script | Can view script
model | script syntax | Can view script syntax
model | series | Can view series
model | type | Can view type
model | constant | Can view constant
model | structured model | Can view structured model
model | regression model | Can view regression model
model | regression table | Can view regression table
model | field reference | Can view field reference
model | factor reference | Can view factor reference
model | dictionary reference | Can view dictionary reference
model | local transformation | Can view local transformation
model | lookup field reference | Can view lookup field reference
model | lookup mapping | Can view lookup mapping
model | predictor | Can view predictor
model | numeric predictor | Can view numeric predictor
  • Create, Update and Delete Models
model | model | Can add model
model | model | Can change model
model | model | Can delete model
model | model | Can view model
model | parameter map | Can add parameter map
model | parameter map | Can change parameter map
model | parameter map | Can delete parameter map
model | parameter map | Can view parameter map
model | script | Can add script
model | script | Can change script
model | script | Can delete script
model | script | Can view script
model | script syntax | Can add script syntax
model | script syntax | Can change script syntax
model | script syntax | Can delete script syntax
model | script syntax | Can view script syntax
model | series | Can add series
model | series | Can change series
model | series | Can delete series
model | series | Can view series
model | type | Can add type
model | type | Can change type
model | type | Can delete type
model | type | Can view type
model | constant | Can add constant
model | constant | Can change constant
model | constant | Can delete constant
model | constant | Can view constant
model | historical constant | Can add historical constant
model | historical constant | Can change historical constant
model | historical constant | Can delete historical constant
model | historical constant | Can view historical constant
model | historical model | Can add historical model
model | historical model | Can change historical model
model | historical model | Can delete historical model
model | historical model | Can view historical model
model | historical parameter map | Can add historical parameter map
model | historical parameter map | Can change historical parameter map
model | historical parameter map | Can delete historical parameter map
model | historical parameter map | Can view historical parameter map
model | historical script | Can add historical script
model | historical script | Can change historical script
model | historical script | Can delete historical script
model | historical script | Can view historical script
model | historical series | Can add historical series
model | historical series | Can change historical series
model | historical series | Can delete historical series
model | historical series | Can view historical series
model | structured model | Can add structured model
model | structured model | Can change structured model
model | structured model | Can delete structured model
model | structured model | Can view structured model
model | regression model | Can add regression model
model | regression model | Can change regression model
model | regression model | Can delete regression model
model | regression model | Can view regression model
model | regression table | Can add regression table
model | regression table | Can change regression table
model | regression table | Can delete regression table
model | regression table | Can view regression table
model | field reference | Can add field reference
model | field reference | Can change field reference
model | field reference | Can delete field reference
model | field reference | Can view field reference
model | factor reference | Can add factor reference
model | factor reference | Can change factor reference
model | factor reference | Can delete factor reference
model | factor reference | Can view factor reference
model | dictionary reference | Can add dictionary reference
model | dictionary reference | Can change dictionary reference
model | dictionary reference | Can delete dictionary reference
model | dictionary reference | Can view dictionary reference
model | local transformation | Can add local transformation
model | local transformation | Can change local transformation
model | local transformation | Can delete local transformation
model | local transformation | Can view local transformation
model | lookup field reference | Can add lookup field reference
model | lookup field reference | Can change lookup field reference
model | lookup field reference | Can delete lookup field reference
model | lookup field reference | Can view lookup field reference
model | lookup mapping | Can add lookup mapping
model | lookup mapping | Can change lookup mapping
model | lookup mapping | Can delete lookup mapping
model | lookup mapping | Can view lookup mapping
model | predictor | Can add predictor
model | predictor | Can change predictor
model | predictor | Can delete predictor
model | predictor | Can view predictor
model | numeric predictor | Can add numeric predictor
model | numeric predictor | Can change numeric predictor
model | numeric predictor | Can delete numeric predictor
model | numeric predictor | Can view numeric predictor
  • Ability to Import and Export Models
model | model | Ability to export Models
model | model | Ability to import Models
  • Ability to run Model Unit Tests
run_study | model run | Can add model run
run_study | model run | Can change model run
run_study | model run | Can view model run
upload | upload | Can view upload
run_study | stream run dim | Can add stream run dim
run_study | stream run dim | Can change stream run dim
run_study | stream run dim | Can view stream run dim
  • Ability to access the Frameworks module.
framework | framework | Access to Frameworks
  • Ability to view Frameworks
framework | framework | Can view framework
framework | framework type | Can view framework type
framework | framework type x model type | Can view framework type x model type
framework | framework x model | Can view framework x model
model | model | Can view model
model | script | Can view script
filter | filter | Can view filter
filter | filter type | Can view filter type
  • Ability to create, edit and delete Frameworks
framework | framework | Access to Frameworks
framework | framework | Can add framework
framework | framework | Can change framework
framework | framework | Can delete framework
framework | framework | Can view framework
framework | framework type | Can add framework type
framework | framework type | Can change framework type
framework | framework type | Can delete framework type
framework | framework type | Can view framework type
framework | framework type x model type | Can add framework type x model type
framework | framework type x model type | Can change framework type x model type
framework | framework type x model type | Can delete framework type x model type
framework | framework type x model type | Can view framework type x model type
framework | framework x model | Can add framework x model
framework | framework x model | Can change framework x model
framework | framework x model | Can delete framework x model
framework | framework x model | Can view framework x model
model | model | Can view model
model | script | Can view script
filter | filter | Can view filter
filter | filter type | Can view filter type
  • Ability to access the Methodologies module.
methodology | methodology | Access to Methodologies
  • Ability to view Methodologies.
methodology | methodology | Can view methodology
methodology | methodology x framework | Can view methodology x framework
filter | filter | Can view filter
filter | filter type | Can view filter type
framework | framework | Can view framework
framework | framework type | Can view framework type
framework | framework type x model type | Can view framework type x model type
framework | framework x model | Can view framework x model
  • Ability to create, edit and update Methodologies
methodology | methodology | Can add methodology
methodology | methodology | Can change methodology
methodology | methodology | Can delete methodology
methodology | methodology | Can view methodology
methodology | methodology x framework | Can add methodology x framework
methodology | methodology x framework | Can change methodology x framework
methodology | methodology x framework | Can delete methodology x framework
methodology | methodology x framework | Can view methodology x framework
filter | filter | Can view filter
filter | filter type | Can view filter type
framework | framework | Can view framework
framework | framework type | Can view framework type
framework | framework type x model type | Can view framework type x model type
framework | framework x model | Can view framework x model
  • Ability to import and export Methodologies
methodology | methodology | Ability to export Methodologies
methodology | methodology | Ability to import methodologies

Important

Users must also have full Create, Read, Update and Delete permissions for Models, Filters, and Frameworks to import Methodologies as the import functionality is capable of creating and editing all the child objects.

  • Ability to access Filters module.
filter | filter | Access to Filters
  • Ability to view Filters.
filter | filter | Can view filter
filter | filter type | Can view filter type
  • Ability to create, edit and delete Filters.
filter | filter | Can add filter
filter | filter | Can change filter
filter | filter | Can delete filter
filter | filter | Access to Filter Archive
filter | filter | Can view filter
filter | filter type | Can add filter type
filter | filter type | Can change filter type
filter | filter type | Can delete filter type
filter | filter type | Can view filter type
  • Ability to access Data Management module.
risk_engine | tables | Access to Data Management Dashboard
  • Ability to view Tables
risk_engine | tables | Can view tables
risk_engine | dictionary | Can view dictionary
  • Ability to manage data structure
risk_engine | dictionary | Can add dictionary
risk_engine | dictionary | Can change dictionary
risk_engine | dictionary | Can delete dictionary
risk_engine | dictionary | Can view dictionary
risk_engine | tables | Can add tables
risk_engine | tables | Can change tables
risk_engine | tables | Can delete tables
risk_engine | tables | Can view tables
  • Ability to access Configuration module.
configuration | playpen active group | Access to Configuration
  • Ability to view Configuration Groups
configuration | group | Can view group
configuration | playpen active group | Can view playpen active group
configuration | table | Can view table
  • Ability to create, edit and delete Configuration Groups
configuration | group | Can add group
configuration | group | Can change group
configuration | group | Can delete group
configuration | group | Ability to export configuration groups
configuration | group | Ability to import configuration groups
configuration | group | Can view group
configuration | playpen active group | Can add playpen active group
configuration | playpen active group | Can change playpen active group
configuration | playpen active group | Can delete playpen active group
configuration | playpen active group | Can view playpen active group
configuration | table | Can add table
configuration | table | Can change table
configuration | table | Can delete table
configuration | table | Can view table