Security System Overview
This topic describes the Security System's permission types. Configure permissions in a role and assign it to a user. Each user should have at least one role. The Security System checks permissions for each role and determines access rights. A user can execute an operation when at least one of the user's roles allows this operation.
The Is Administrative option grants all available permissions to a role.
You cannot deny any rights for a role with the Administrative Permission.
Edit Model Permission
The Can Edit Model option allows users associated with the current role to use the Model Editor.
When the Edit Model or Administrative permission is granted, the Edit Model Action is available in the Tools category which allows editing the application model for a current user.
The Permission Policy determines the Security System's behaviour when a specific type, object or member does not have explicitly specified permissions. Refer to the Permission policies topic for more information.
You can manage access to navigation control's items in the Navigation Permissions tab. You can grant or deny a permission for a single navigation item or for the whole navigation group as shown on the image below:
Item permissions have a greater priority than group permissions. For instance, if you deny access to the group, but grant access for one of its items, this item is enabled in the navigation control.
IMPORTANT Navigation permissions manage the visibility of the navigation control's items. They do not grant or deny access to navigation items' associated objects. Use Type permissions or Object permissions to manage access to these objects.
The Type Permissions tab specifies access to all objects of a particular type.
The following operation types can be granted or denied:
|Read||Objects of the current type are readable. To make an object read-only, allow the Read operation and deny the Write operation.|
|Write||Objects of the current type are editable.|
|Create||New objects of the current type can be created. Note that granting Create without Write does not allow a user to save new objects.|
|Delete||Objects of the current type can be deleted|
Object permissions grant access to object instances that fit a specified criterion. The following image illustrates the Object Permissions tab in the Type Operation Permissions dialog.
Member permissions grant access to specific members of an object. Double-click a record in a type permission list invokes the following dialog.
For example, users can have access to objects of a particular type and simultaneously have no access to several members of this type. For another example, it is possible to deny access to objects of a particular type and only allow access to a strict list of its members. You can set a Members value to a string that is a semicolon-separated list of property names.
You can also specify a criterion for a Member permission entry. The entry is active when the current object meets the criterion.
Reference Properties Access
To determine whether access to reference properties such as AssignedTo and complex reference properties such as AssignedTo.Name is allowed, the Security System checks the current type's Type permissions, the reference property type's Type permissions, and each member's Member permissions (in the property path).