Creating roles and access rights

Previous Next

How to create a role

1.In USoft Definer, choose Define, Roles.
2.In the Role field, type the name of the new role.
3.In the Description field, type a text that describes the role. Make sure you also include a brief description of the access rights that the role has.
IMPORTANT: Unlike most other Description fields in USoft, this field is not only for fellow developers. This description is also needed by administrators in non-Development environments when they need to decide who should have which access rights.
4.Press the Check button. See that this sets Correct = Yes for the role. Save work.
IMPORTANT: If you forget this Step 4, the role will not be "seen" by USoft Authorizer when you run Fill Authorizer Tables there.
5.Press F2, F3 to see the access rights that have been generated for the new role on the Table Rights, Job Rights and Component Rights tabs.
Notice that by default, your new role has all access rights.
You are now ready to give meaning to the role by setting default access rights and resource-specific access rights (Table Rights, Job Rights, Component Rights, Module Rights).

How to use default access rights

Each role has 6 defaults for access rights, which have the value "Foreground-and-background" by default:

AP_clip0016

"Foreground-and-background" is the widest access scope. In general terms, this means that the role has full access except where you make exceptions:

Accept this if your role has access to a great part of your application: everything except some. Then, at the lower levels (Table Rights...) define the exceptions by setting Scope values narrower than "Foreground-and-background".

Change these defaults to "None" (the narrowest access scope) for role that have access to a small part of your application: nothing except some. Then, at the lower levels (Table Rights...) define the exceptions by setting Scope values wider than "None".

How to create access rights

Now, proceed by expressing what are the exceptions to your defaults.

Where you have wide defaults, the exceptions will have narrower scope: they will express where access is restricted.

Where you have narrow defaults, the exceptions will have wider scope: they will express where access is allowed.

Here are some examples of the various ways in which you can restrict access:

You can exclude access to tables.

You can restrict the type of access to data (for example, to read-only access).

You can exclude access to columns.

You can exclude access to rows in a table.

You can exclude access to jobs or components by removing job rights and component rights.

You can restrict access rights to any resource to background use only. In this situation the user cannot use the function directly (explicitly, by calling it in the user interface). The user is only allowed to call something that indirectly, in the background, makes use of the resource.

To understand these various forms of restriction, go to Understanding roles.

Here is an overview of the mechanics of achieving these different restrictions:

Restrict ...

By doing this ...

Access to tables

Setting Scope = None for the table, for all access types (Select, Insert, Update, Delete).

 

NOTE: In USoft 9.x and earlier, table rights were modelled by the presence of records in the Table Rights table. In USoft 10.0 this is different: you cannot drop the Table Rights record.

Type of access to data

Setting Scope = None for the access type you want to bar (for example, the Insert, Update, and Delete access types if you want read-only access)

Access to columns

Setting Scope = None for the Column Right (lower box in the Roles info window)

Access to rows in a table

Defining a role condition and associating it to the Table Right for the appropriate access types (Select, Insert, Update and/or Delete)

Access to jobs

Setting Scope = None for the Job Right, or dropping the record for the Job Right

Access to components

Setting Scope = None for the Component Right, or dropping the record for the Component Right

Access to background-only use

Setting Scope = Background-only for the appropriate access right record

 

 

See also

Roles