Description

Logging into an application is and important thing to do, but within the application the customer may want to limit functionality for users, based on what they are allowed to do. One of the goals of Secwin is to allow end-users to do this in an intuitive way, but a way that allows them to understand what a user's rights are, and how to set them.

A user has to be the level of Supervisor, Administrator or SysAdmin in order to assign rights to individuals or groups.

Groups

DEXIT allows User Groups to be created. A user has to be at least at the Administrator Level in order to create groups.

Using Groups is useful because rights can be assigned to groups. Then when a new user is added to the system it is not necessary to set all their rights individually, you can simply assign the user one or more groups.

If a user is a member of more than one group then they get the access rights of all the groups. So as long as they have access to something through at least one of their groups, they will have access to that something. In technical terms access rights are OR not AND.

When a group is created you can set its access rights to default to either ALL or NONE. If set to ALL then the group has access to everything (by default) and it can be edited to restrict specific access. If set to NONE then specific access has to be granted to the group.

Users

A user has to be at least at the Administrator Level in order to add users. (With the exception of systems which allow users to create themselves, more on that later.)

In addition to being in a group a user can have specific rights which override these group rights. These allows the administrator to not just to allow specific users to do specific things outside of their group, but it also allows the administrator to prevent a user doing something, even if their groups are allowed to do it.

Users who are not part of any group can also have their rights set on an individual basis.

When a user is created you can set their access rights to default to either ALL, GROUP or NONE. If set to ALL then the user has access to everything (by default.) This can then be edited to restrict specific access. If set to GROUP then the default rights of their group(s) are used. If any are set to ALL then the user's default is ALL, if all are set to NONE then the user's default is NONE

Run Time

There are two approaches to controlling the access rights of users at run time.

• Go to the window that needs protecting
• Press the system-wide Hot Key (Ctrl-F8 by default)
• Edit the rights for users and groups for that screen
• This approach is ideally suited to the less-technical supervisor. They do not need to understand the bigger application, they simply go to what they want to protect, and protect it. It takes slightly longer to do it this way, but can be done with minimal user training.

Make use of the Global "Set Access Rights" window. This window presents a lit of all the procedures which can be protected, and allows the supervisor to set the rights for all the procedures, and controls in one place. This approach is faster, but the user needs an understanding of how the application is arranged, and what procedures refer to what functions. 

Bubbling

Menu Items and Buttons are often set to "Call a Procedure". Having the button present, but going to an Access Denied message is not very friendly.

The solution for this in Secwin 6 and earlier was to protect both the button in the calling procedure, and the destination procedure as well. this can duplicate work when setting up the system.

DEX  introduces the concept of Bubbling - if a user does not have access to a procedure then buttons and menu items that call that procedure (using the template Actions setting) are automatically hidden.

• Additional Program Restrictions

Disabling, and Hiding of controls for access control purposes does not happen in isolation. There may be other considerations which also come into play.