1. Role

    Article: AN0001559Updated:

    Role represents a link between user and acces right for an operation in ObjectGears system. Access rights to the objects are not assigned directly to users due to a complicated maintainability and transparency. This is why al the access rights are realized by means of roles. The user is assigned to the role in the system or set up from Active Directory groups (or another system) is taken over. Each roles has to be first defined on ObjectGears instance level .

    Roles can then be used in particular models and classes for access rights control. Within model we select roles (from existing roles defined in ObjectGears ijnstance), that we can later on use for set up of access rights on particular classes and other objects.

    Within object (e.g. class, workflow etc.) settings we define, which roles shall have which access rights (e.g. read, create, update, delete...).

    Roles are created and enabled for model by Administrator of ObjectGears. IT owner of model than maps roles to access rights for particular objects.

    Role enabling

    Sometimes it is necessary to disable the role immediatelly (e.g. due to a security incident, bug fix, temporary prohibition of performing some operation). In this case you may prohit this:

    • in a role - then the role is disabled for all the models
    • in a model - then the role is disabled only in a particular model

    By disabling a role you disable users to use the access rights related to the role, however, the role keeps assigned to the objects. Later on you can enable the role again access rights start working immediatelly like before prohibition.

    A role can be also withdrawn from the objects (model, class, query...). However, if it is only a temporary revocation, you have to add it later on again to the object, which might be labour intensive and involves a risk of mistake (forgetting to assign the role back to a necessary object).