Article: AN0001564Updated:
Access rights can be set and removed on several levels. It is necessary that following conditions are met in order that access rights are actually working (example hereinafter shows class access rights, however, same principle can be applied to the objects as well):
-
User account is not locked and user is enabled to login into application.
-
A role is assigned to the user.
-
This role is enabled.
-
There is a model that is enabled.
-
The role is assigned to this model.
-
The role is enabled on this model.
-
There is a class in the model, that has certain operations enabled.
-
The role is assigned to these operations in the class.
Assumptions for access rights functioning is documented by following data model. (There are only those entity properties displayed that are important for access rights functioning.)
Apart from assigned access rights the type of access is dependent on the settings of the class and the column.
On the class level there is defined:
-
Enabling data insert
-
Enabling data change
-
Enabling data display in the list
-
Enabling data display in the detail
-
Enabling data display in the detailed list
-
Enabling data deletion (physical or logical)
-
Enabling display of deleted records
-
Enabling mass updates
On the column level there is defined:
-
Enabling data display in the list
-
Enabling data display in the detail
-
Enabling data display in the detailed list
-
Enabling editing by record creation
-
Enabling editing by record change
Role assignment on the class level can be carried out on the page with the class definition or on the page role management which enables role check and assignment to all the classes in the model at the same time.
Display of a column or a button can be also influenced by means of scripts for records and pages (object OGColumns or OGControlOperations). Object can be only hidden. It is not possible to display an object that the user does not have access to.
Class inheritance and access rights
Access rights are found out for current class only (not for all the parent classes) in case the class has a parent class.
Queries
Access rights are found out only for the given query and not for objects used in the query. Therefore, you can display some data from a sensitive class to a user with a lesser role.
Query security issues are described in Queries to somebody else`s data.
Pages
Access rights are found out only the whole page. If you want to display webpart on the page to ceratin roles only, than you have to use scripting on page level and use function IsUserInRole. Webparts can then be displayed or hiden in whatever way be means of command
OGWebParts['webpart_code'].Visible = false;
Access rights and menu or buttons
Only those menu items, that the user has access right to, are displayed to the user. Similarly, only those buttons are displayed to the user that perform actions to which the user has access rights.