Advanced configuring of security settings is one of the strengths of the LoBDb.NET platform. Let us illustrate that feature. Suppose that a table named notes contains one string field named text as shown on the picture below. Different users should be able to store their records in that table. In order to create such a table you should click Create Table on the Tables folder and then click Design Table on the created table.

01_table_design.png

Suppose that security settings should allow users to view only those records that were created only by their teammates or by their subordinates. Moreover, every user should be able to update and delete only its own records. In order to do that let us create two roles namely reader and writer and configure their permissions as shown on the pictures below (you should click Create Role on the Roles folder and then select Manage Permissions on each of the new roles).

02_role_reader.png
03_role_writer.png

In order to define the organizational structure you have to build a tree of units. Let us group all the users into two child units namely child_unit_1 and child_unit_2 which are subordinate to the top_unit unit as shown on the picture below. Click Create Unit on the Units folders to create the corresponding units and then click Add Unit in Unit on the Child Units folder of the top_unit folder.

04_unit_structure.png

Then create four users namely u_top, u_child_1_a, u_child_1_b and u_child_2 clicking Create User on the Users folder.

05_new_users.png

Then add all the users into the roles reader and writer as well as specify the unit for each of the users as shown on the pictures below (click Add User in Role on the Users folder inside each of the roles and then click Add User in Unit on the Users folder inside each of the units).

06_unit_users.png
07_role_users.png

Now let us connect under the account of the u_child_1_a user clicking Connect As on the domain icon and typing the corresponding user name and password. Then open a new query window selecting New Query on the domain icon and enter the script shown on the picture below which will insert a new record from the u_child_1_a user.

08_u_child_1_a_query.png

Then connect under the u_child_1_b credentials, insert a new record and read the contents of the notes table. You will find out that the user_child_1_b is able to view the record created by u_child_1_a because both users belong to the same unit and have the permission to read the records created by their teammates.

09_u_child_1_b_query_1.png

However u_child_1_b can modify only its own record but not the record created by u_child_1_a as can be seen executing the scripts shown on the pictures below.

10_u_child_1_b_query_2.png
11_u_child_1_b_query_3.png

Now connect under the u_child_2 user, create a new record and then select the rows of the notes table. The result is that u_child_2 is able to view only the own record because u_child_1_a and u_child_1_b belong to another unit.

12_u_child_2_query.png

In the end let us connect under the u_top user account and insert a record. Ultimately u_top will be able to read all the records since the users that created them are subordinate to the u_top user.

13_u_top_query_1.png

Last edited Jul 26, 2012 at 4:07 AM by mapase, version 10

Comments

No comments yet.