How to find an account with exact the same user roles?

When delegating a task I want to show the user a dropdown list with all the users who have the exact same roles as the current user. Because delegating a task to a user with a different set of roles could lead to all sorts of security problems. I now achieve this is by creating complex multiple lists and doing list operations. But this really slows the filling of the dropdown list. Is there an easy way to achieve this that I am overlooking? Regards, Ronald
5 answers

Option 1 - xPath on reference selector

You want to select all users which don't have a userrole that don't belong to the grantable roles of the currentuser. And that's possible by XPath (not tested):

not(System.UserRoles/System.UserRole[not(System.grantableRoles[reversed()]/System.UserRole/System.UserRoles = '[%CurrentUser%]')])]

That's probably the behavior you want. The problem with "selecting user with the exact same roles" is that a Manager can't select a Employee. By using grantable roles a Manager can select user with the roles [Manager] or [Manager, Employee] or just [Employee].

Make sure you set the grantable roles correctly in the project security and then this should work.

Option 2 - datasource microflow

You can also add just one attribute: "amountOfRoles" and set it before commit with a count of the userroles. Then use this on the Account retrieve:

[not(System.UserRoles/System.UserRole[not(System.UserRoles = '[%CurrentUser%]')])][amountOfRoles = $account/amountOfRoles]

Note that I use $account and not $currentUser. So retrieve Account from database where id = $currentUser.


Another approach - I have attached a picture of a microflow that may do the trick.

Click here to see the image


Similar to Herbert's 2nd solution I used the following xpath in a retrieve action from Account:

[id!=$Account] [System.UserRoles/System.UserRole[System.UserRoles=$Account]] [not(System.UserRoles/System.UserRole[not(System.UserRoles=$Account)])]

And then in the microflow loop over the resulting AccountList to remove Accounts with a different number of UserRoles. Herbert's storing of this amount could help performance by including it in the xpath.

Off course this asumes users with exact the same role list.


Unfortunately you can't edit the System module, so for my suggestion to work you would need to create a 'shadow' entity for the UserRole in your own module...

If you add an integer field to UserRole, and give each role a value,1, 2, 4, 8, 16, 32, 64 etc, then on your account object, sum these integers for the roles of the user, that will give you a unique number representing the combination of that user's roles.

To find someone with the same permissions, you would then just need to look for someone with the same 'total' as you


Hi Bas, here are some images to explain a little. Domain with new entity liniked to UserRole: domain model

For each Permission Role (you are right, created in the Modeler) that you want to track, create an entry in the UserRole Rating form: Ratings

The using a Before Commit microflow on the Account object, set the total roles score for the account: account scores

After that you can easily find users with matching roles just by searching for accounts with the same total score. Here is a link to a sample project with this implemented: Newproject.mpk (I had to zip it again to get it to download)


This is the microflow I came up with: Retrieve users with same role

I retrieve the user role of the current user. For each role I retrieve all persons with that role. Then I intersect all these list to find the persons that are on all the lists. It's the fastest I found. I do like David's sollution but has the disadvantage of creating shadow entities.

I still think it should be possible with only xpath though.