1. Access rights on class columns

    Article: AN0001562Updated:

    Through assigning an access right to a certain role in the class detail the role gets access right to all the columns in the given class. Generally, there are following limitations:

    • Column that does not have enabled modification (there are two types of modification: at record creation and at record change) cannot be edited, even if the user does have a role enabling modification.
    • Column that does not have enabled display (there are three types of display: in the list of records, in the record detail and in the detailed list of records) canot be displayed, even if the user does have a role enabling display.
    • If the access right is assigned in relation to a certain organization unit, the users have access right only to records belonging to their organization units or to subordinate organizatio units (in case of set up Also via subordinates).

    On top of these general principles access rights can be restricted for reading or editing particular columns by means of scripts (for the list of records or record detail) defined in the class detail on the tab Scripts. Decision, if the column shall be displayed/enabled for editing, can be based on user membership in a role. For this purpose, two function of the script object Person can be used: IsUserInRole or IsUserInModelRole. Acces rights to display/download files in the column File can be controled in a similar way.

     Example

    1. Setting column to read-only

    This script for a record detail defined in the class detail on tab Scripts disables editing of column "Tester" to all users that do not have role "project-manager" or "application-manager".

    function OnAfterLoadColumns()
    {
      if ( !( OG.Person.IsUserInRole('project-manager') || OG.Person.IsUserInRole('application-manager')))
      {
        OGColumns.GetByCode('tester').ReadOnly = true;
      }
    }

    Function IsUserInRole returns true, even if the given role is disabled on the model. If we want to enable editing, only if the user is a member of the role and the role is enabled on the given model at the same time, we will use function IsUserInModelRole.

    function OnAfterLoadColumns()
    {
      if ( !( OG.Person.IsUserInModelRole('project-manager',2) || OG.Person.IsUserInModelRole('application-manager',2)))
      {
        OGColumns.GetByCode('tester').ReadOnly = true;
      }
    }

    2. Hiding a column

    This script for a record detail defined in the class detail on tab Scripts hides column "Tester" to all the users that do not have role "project-manager" or "application-manager" or they have them but these role are not enabled on model Id=2.

    function OnAfterLoadColumns()
    {
      if ( !( OG.Person.IsUserInModelRole('project-manager',2) || OG.Person.IsUserInModelRole('application-manager',2)))
      {
        OGColumns.GetByCode('tester').Visible = false;
      }
    }

    Hiding a column will cause shifting other controls on the page at the same time. If we do not want to influence position of other controls and want to leave an empty space instead of the hidden control, we will use property  HideWithBlankSpace of the OG data type ColumnClassDefUserSet.

    function OnAfterLoadColumns()
    {
      if ( !( OG.Person.IsUserInModelRole('project-manager',2) || OG.Person.IsUserInModelRole('application-manager',2)))
      {
        OGColumns.GetByCode('tester').Visible = false;
        OGColumns.GetByCode('tester').HideWithBlankSpace =true;
      }
    }

    3. Preventing to display/download the file

    This script for column type File forbids to display/download files in this column for all users that do not have either "project-manager" or "application-manager" role.

    if ( !( OG.Person.IsUserInModelRole('project-manager',2) || OG.Person.IsUserInModelRole('application-manager',2)))
    {
    OGForm.SetError('You are not authorized to download or display the file content.');
    return false;
    }

×