Skip to main content
Version: Next

Permissions

Permissions for Pimcore Copilot are defined on two levels:

  • User permissions for defining general access to Copilot features.
  • Action permissions for defining availability of configured automation and interaction actions to users.

User Permissions

The following permissions have been added to users/roles under Permissions Bundles:

User PermissionsUser PermissionsUser Permissions

Pimcore Copilot Bundle - Pimcore Copilot

Controls the visibility of the Pimcore Copilot for specific users and roles. By default the permission is disabled.

Pimcore Copilot Bundle - Job Run Overview

Controls the visibility of the Pimcore Copilot Job Run Overview for specific users and roles. By default, the permission is disabled.

Pimcore Copilot Bundle - See All Job Runs

If this permission is enabled, the user/role can see all entries regardless of the owner of the job in the Job Run Overview. By default, the permission is disabled.

Pimcore Copilot Bundle - Pimcore Copilot Configuration

Controls the visibility of the Pimcore Copilot Configuration for specific users and roles. Additionally, this permission grants the user/role the right to execute all actions. By default, the permission is disabled.

Action Permissions

Automation and interaction actions can be configured to be available for specific users or roles. This can be done via the optional action_permissions section in each configuration.

If the node is not present, the action is available for admin users and users with Pimcore Copilot Configuration permission only.

You have to configure the name of the user or role and the permissions for the corresponding name. Available permissions are defined in ActionPermissionTypes enum.

Example configuration for action based permissions in Admin Backend UI

You can define permissions for the action based on roles and users. Without permissions, the action is available for admin users only.

You can use the Add button to add new roles or users respectively and define the permissions for them.

info

Please note, as soon as you add a user or role it is not possible to save the configuration without assigning at least one of the permissions by activating the corresponding checkbox.

Action PermissionsAction PermissionsAction Permissions

Example configuration for action based permissions in configuration files

1.) Allow action to be executed for a specific user or role

pimcore_copilot:
automation_actions:
step_implementation_mapping:
asset_relation_object_name:
class: 'Pimcore\Bundle\CopilotBundle\AutomationAction\Messenger\Messages\Generic\GenericAssetObjectRelationByNameMessage'
actions:
asset_relation_object_name:
action_permissions:
- name: 'Patrick' #username or role name
permissions: #permission based on ActionPermissionTypes enum
- !php/enum Pimcore\Bundle\CopilotBundle\ActionPermissions\ActionPermissionTypes::EXECUTE

2.) Restrict action to be executed for a specific user or role

pimcore_copilot:
automation_actions:
step_implementation_mapping:
asset_relation_object_name:
class: 'Pimcore\Bundle\CopilotBundle\AutomationAction\Messenger\Messages\Generic\GenericAssetObjectRelationByNameMessage'
actions:
asset_relation_object_name:
action_permissions:
- name: 'Patrick' #username or role name
permissions: #permission based on ActionPermissionTypes enum
- !php/enum Pimcore\Bundle\CopilotBundle\ActionPermissions\ActionPermissionTypes::NONE
...

3.) Allow action to be executed for a specific user or role and restrict it for another user or role

pimcore_copilot:
automation_actions:
step_implementation_mapping:
asset_relation_object_name:
class: 'Pimcore\Bundle\CopilotBundle\AutomationAction\Messenger\Messages\Generic\GenericAssetObjectRelationByNameMessage'
actions:
asset_relation_object_name:
action_permissions:
- name: 'Patrick' #username or role name
permissions: #permission based on ActionPermissionTypes enum
- !php/enum Pimcore\Bundle\CopilotBundle\ActionPermissions\ActionPermissionTypes::NONE
- name: 'AccessToCoPilotRole' #username or role name
permissions: #permission based on ActionPermissionTypes enum
- !php/enum Pimcore\Bundle\CopilotBundle\ActionPermissions\ActionPermissionTypes::EXECUTE
...
caution

As soon, as a user has access to an action, the user is allowed to do whatever that action does - even though the user might not have direct permissions for affected data elements.

There is no integrated additional permission check on data element level in the actions. If this is necessary, that might need to be considered in custom action step and interaction type implementations.