Foreground and Background Rights
The Authorizer is based on a relational database, in which there may be relationships between data in several tables. If you grant rights to user groups you will have to remember that such relationships may exist. Having the right to delete a person's data may have its repercussions in other tables. That is why you can define rights in the foreground and in the background.
The foreground object is the object that is currently active in a data window or in the SQL Command dialog.
The user group may have the right to perform certain actions on a table in the foreground but these actions may cause all kind of actions in referenced tables, depending upon the relationships between the tables. For example, deleting a certain record in the foreground table may automatically delete a related record in a background table (through a cascading delete, or a corrective constraint). If you give a user group the right in the background, you grant the user the right to access or edit data through these processes.
To be able to execute UPDATE or DELETE statements, a background select right is also needed because the Rules Engine performs SELECT statements in the background before executing an update or delete statement. This means that when specifying an Update or Delete right, you also have to specify a background Select right.
Background processes for which (background) rights have to be explicitly specified include:
An important rule is that user group members are allowed to do anything in the background that they are allowed to do in the foreground... and sometimes more.
If there are constraints defined on a table or column that "update" information in other tables, background rights must have been granted on these other tables.