1. Access control

    Article: AN0001557Updated: 14.03.2020

    This chapter describes access control by user roles created in ObjectGears by Administrator. Basic built-in ObjectGears role (role types) are described here.

    Access rights are managed by roles that are assigned to particular users in ObjectGears. Users can have more roles. Administrator creates new roles and defines, in which models they can be used. There are available following system roles already at the installation:

    Code Name Description
    authenticated_users All authenticated users The role is automatically assigned to all the authenticated users.
    unauthenticated_users All unauthenticated users The role is automatically assigned to all the unauthenticated users.
    all_users All users The role is automatically assigned to all the users.
    og_report Reports production The role enables to create and change user reports.

    User is assigned to the role either in the application or the assignment is given by user membership in Microsoft Active Directory group. In the later case following conditions must be met:

    1. Parameter AssingRoleToUser in the file web.config is set to False.
    2. Roles in ObjectGears have set attribute Name in the system to the Microsoft Active Directory group in format domain_name\group_name.
    3. The user is member of corresponding groups.


    Role can be used to access more objects in ObjectGears (particular classes, queries) or can be associtated with other permissions in the application. Role can have any combination of available access rights for each object. E.g. In case of classes these access rights are:

    1. Reading data
    2. Inserting data
    3. Changing data (requires role Reading data)
    4. Deleting data
    5. Mass data change (requires role Reading data)

    Access rights are added up. If the user is member of two roles, one of which enables to read and insert data in the given class and the other to read, change and delete the data, the user can read, insert, change and delete.

    In case of classes access can be controlled on level of particular records. The user can see or perform operations only with records coresponding with his position in the given organization structure. It is possible to combine access rights without organization structure influence and access rights according to various organizations structures in a single class. This represents a big flexibility in the access rights control in a single ObjectGears model/application.

    Access rights in classes can be also managed on level of particular columns of the record.

    Access to particular functions is managed in two ways:

    • The function has to be explicitly enabled in the class
    • The user has to have the corresponding role assigned

    Example: Data in the class can be changed only if this operation is enabled in the class. A role have to be associtated with the change operation in the class and the user has to have this role assigned. Without meeting these two conditions user cannot update the records.

    Limitation of assigned roles

    The user can temporarily remove the roles he/she has been granted, which results in a decrease of access rights. This can be done by clicking on user name in the upper right corner in the screen and pickin up in the context menu User info. There is List of assigned roles in the displayed page where the user can check off some of assigned roles. After saving changes the roles are removed for the user in current logon (session).

    Roles inactivated at logon

    At the time of logon the user does not have activated roles, which do not have checked option Immediately assign to user. If the users want to use such a role, they have to activate it after each logon. This can be done in section List of assigned roles in the context menu User info. This setup is useful for strong roles, for which the users shall explicitly determine, that they want to work with them.

    Restricting access to only some users

    In some cases it is necessary to restrict access into the application for some users only - e.g. to administrators (setting Enable access only to administrators) or only named users (setting Enable access to users). This settings are performed in menu Administration - System - About application.

    Restrictions are helpful e.g. in these cases:

    • An error occured and it is necessary to disable user access
    • You have performed restoration from back up and before enabling users to access the system again you need to do some adjustments

    Together with disabling access to regular users you can enable access to certain users that are able to perform data correction before full system start.

    Restricted user access may be applied together with function disabling of integration objects. Both ensure data protection in special cases.