Access Limitation
This section describes the different mechanisms available to limit and customize user access within the Centiloc platform.
These mechanisms allow administrators to:
- Restrict access to specific data (based on labels)
- Control which features are visible in web applications (enrolui, dataui)
All configurations are performed using group attributes in Keycloak.
As described in Limit User Access, it is possible to restrict which data a user can access based on labels.
The principle is simple:
- A group can define an attribute:
- key:
labels - value: a label filter expression
- key:
- Users belonging to this group will only see objects matching this label filter
This applies to all objects carrying labels, including:
- items
- boards
- products
- (soon) boxes and other resources
The simplest usage is to define a single label value.
Example:
labels = "site::paris"
This configuration means:
The user will only see objects containing the label
site::paris
This syntax is equivalent to a “contains” query.
A simple value likefoo::baris interpreted as “containsfoo::bar”.
For more advanced use cases, the labels attribute supports logical expressions.
This allows combining multiple conditions using logical operators.
| Symbol | Meaning |
|---|---|
& |
AND |
| |
OR |
! |
NOT |
Parentheses ( and ) can be used to group expressions.
Double quotes " are used to define label boundaries.
Anchors (^ and $) define how a label should match:
| Syntax | Meaning |
|---|---|
"foo" |
contains foo |
^"foo" |
starts with foo |
"foo"$ |
ends with foo |
^"foo"$ |
exactly foo |
(^"site::cholet" | ^"site::nantes"$) & !"secret"
This expression means:
- starts with
site::cholet - OR is exactly
site::nantes - AND does not contain
secret
- labels must be quoted when used with operators
^must be placed immediately before a quoted label$must be placed immediately after a quoted label- labels cannot contain
"
The filtering logic is identical to the one used in Items filters.
In addition to data filtering, it is possible to hide specific features in web applications.
This is done using dedicated group attributes:
enrolui.hidedataui.hide
These attributes control the visibility of tiles (features) in the UI.
The attribute enrolui.hide allows hiding specific tiles in enrolui.
Available values:
| Value | Hidden Feature(s) |
|---|---|
product |
Product tile |
dpp |
DPP tile |
build |
Furniture, Shelf and Location tiles |
enrol |
Enrolment / Configure UID tile |
The attribute dataui.hide allows hiding specific tiles in dataui.
Available values:
| Value | Hidden Feature |
|---|---|
inventory |
Inventory tile |
product |
Production tile |
tracking |
Tracking page |
map |
Geomap page |
You can hide multiple features by separating values with a ;.
enrolui.hide = "product;dpp;build"
dataui.hide = "tracking;map"
With this configuration:
-
In enrolui, the user will only see:
Configure UID(enrolment)
-
In dataui, the user will only see:
InventoryProduction
All other tiles will be hidden.
This mechanism is designed to simplify user experience and limit access to features.
However, it is not a security boundary on its own. It should always be combined with proper role and data access configuration.
-
Use groups to manage access, not individual users
-
Combine:
- label filtering (data-level restriction)
- UI hiding (feature-level restriction)
-
Keep configurations simple and explicit
-
Avoid complex nested group configurations when using labels