Skip to content

Background Permissions Management

Key Components

Permission CRC Tracking

The system now maintains a checksum (CRC) value representing the current state of all permission configurations:

  • Permission sets
  • Role assignments
  • Proxy user configurations

When any of these components change, the CRC value changes, indicating that record permissions may need to be updated.

Automatic Permission Updates

Records now track their permission state with a PermissionsCRC property that is updated whenever: - File order is updated - Record fields are updated - Tasks are updated - A permission refresh is performed

New API Endpoints

The system provides two new API endpoints for permission management:

1. Refresh All Records Permissions

POST /api/permissions/refresh
Content-Type: application/json

{
  "force": false 
}
  • force: true - Refreshes all records regardless of current state
  • force: false - Only refreshes records with stale permissions

2. Refresh Single Record Permissions

POST /api/permissions/refresh/{recordId}
- This endpoint always forces a refresh for the specified record

Background Jobs

Two new background jobs have been implemented:

  1. Daily Permissions Check (BackgroundRefreshAllPermissions)
  2. Runs on a schedule defined in the app configuration

  3. Queues a message to refresh stale record permissions

  4. Permission Refresh Processor (RefreshRecordsPermissions)

  5. Processes messages from the queue
  6. Updates permissions for records as needed

Configuration

Queue Setup

The system uses a queue named refreshpermissions for managing permission refresh tasks. This queue is created automatically if it doesn't exist.

Schedule Configuration

Configure the background job schedule in your application settings:

{
  "BackgroundRefreshAllPermissionsSchedule": "0 0 2 * * *"  // Runs daily at 2:00 AM
}

Troubleshooting

Monitoring Permission Refresh Jobs

Check the function logs for entries related to: - BackgroundRefreshAllPermissions - RefreshRecordsPermissions

Handling Failed Refreshes

If permissions are not updating correctly:

  1. Force a refresh for a specific record: 

    POST /api/permissions/refresh/{recordId}

  2. Examine logs for specific errors related to that record

  3. Check if the record's PermissionsCRC field is getting updated after the refresh

Technical Details

How the CRC is Generated

The permissions state CRC combines timestamps from: - The proxy user list's last modified date - The most recent permission set update - The most recent role assignment update

Permission Refresh Logic

  1. The system determines if permissions are stale by comparing a record's PermissionsCRC value with the current system CRC
  2. For stale records, permissions are recalculated and applied
  3. The record's PermissionsCRC is updated to reflect the current state

Best Practices

  1. Regular Maintenance: Allow the daily background job to maintain permissions
  2. Configuration Changes: After updating roles, permission sets, or proxy configurations, consider forcing a refresh
  3. Performance Management: Schedule bulk permission refreshes during low-usage periods
  4. Auditing: Review function logs periodically to ensure permissions are being maintained correctly