Flows Use Case - Complex Permission Management

Created on 2023/02/13, Flows

Our client, Dekra, is a leading provider of inspection, certification, and claims management services to the automotive, transport and industrial sectors. They collaborate with an extensive network of agents to gather inspection and certification data.

The client came to us looking to implement their pre-existing (and quite complex) OpenID Connect directory permission model within Pydio Cells. The shared data is composed of a huge number of folders that all share the same subfolder layout. Users are granted access to these subfolders using role-based permissions.

As a starting point, we were looking to reduce the amount of email and admin work being generated. But we also wanted to streamline time consuming workflows and our existing infrastructure couldn’t bridge the gap between our internal systems and the systems our partners and their clients use. Pydio Cells addressed this challenge for us and has gone on to help accelerate customer service and improve productivity.

Nicolas Bauchet - Manager, Digital Solutions and Innovation, Dekra 

Main Challenges

  • Interpret the “encoded” entitlements from the client directory and translate them into Pydio-readable permissions for specific data paths

  • Apply these permissions for each user to allow access to specific folders and subfolders 

Flow Map

Dekra Job Diagram.png


1 - Decode “Entitlement” to Create an Authorized Path

At login time, the OIDC provider sends back a User with a list of entitlements that encode specific data in a format like GROUP_CodeSite_Year_Role. Each part represents a level in the folder tree, either directly (Year 2022 => folder ../2022/…) or indirectly (CodeSite refers to an external list associating Codes => Site Names). The Flow needed to account for five different types of variable in its encoding.

Scripting capabilities

Using an “Anko” action, we used pseudo-GO code to read all user roles and apply various string splits and transformations.

Dekra Anko Script.png

Injecting additional data for CodeSites

As explained above, the Flow required an external set of data to translate a “CodeSite” into a proper Site Name (and folder name). For that, we simply store this list as a JSON-encoded file in Pydio Cells (in a protected Cell), and let the Flow load its content and pass it as JSON as an input to the Anko action.


Dekra Load JSON file.png


With that, and the precise client requirements for implementing the decoding rules, we had the tools to decode the input.

2 - Apply Dynamic User Permissions

Once we had the tool to “understand” the OIDC entitlements, we needed to decide how to apply permissions to grant access. 

There were multiple possible approaches to this challenge. The typical solution is to create workspaces (that point to a specific location) and grant access to them on the fly. But in this case, that approach would lead to the creation of a vast number of workspaces for each user. Instead we chose to create on-the-fly security policies that “filter” the visible/editable contents of a unique, shared workspace, and assign these policies dynamically to each user. 

Security policy creation is done directly inside the Anko script and ACLs are assigned to users in the script as well, and saved afterward in a separate action.

Dekra Save ACLs.png


As a result, when users log in to the platform, their permissions are dynamically assigned and eventually refreshed if there are changes to the directory, providing admins with fully centralized permission management while keeping data access fully secure. This allows our client to integrate Pydio Cells into their core workflows to accelerate sharing and collaboration on key documents.

Put Flows to Work for You

This article focuses on several features of the Flow being described but it is not a how-to. If you’d like to learn more, contact one of our Flows experts.

Need to Balance Ease-of-Use with Security? Pydio Cells Can Help.

If your organization is serious about secure document sharing and collaboration you need to check out Pydio Cells. Cells was developed specifically to help enterprises balance the need to collaborate effectively with the need to keep data secure.

With robust admin controls, advanced automation capabilities, and a seamless, intuitive end-user experience Pydio is the right choice for organizations looking to balance performance and security without compromising on either. Try Cells live for yourself. Or click on the button below to talk to a Pydio document sharing specialist.