BaccS provides flexible system to control access to a data stored in your database. This security system allows to create roles and assign those roles to users. Roles specify a set of rules which allow or restrict access to a specified data. It is possible to control access right on the level of individual forms and fields. If access is restricted to some form, it will be hidden from the UI. If access is restricted for some field, than a user with that role will see 'Protected content' label instead of actual data contained in that field.
The whole security system is controlled via two main forms available through the Default section of the navigation tree: Role and User.
User form allows to simply create, edit and delete users, assign roles and set passwords. To create a new user, click New button. To edit existing user, simply double click on it:
Change my password and Reset password buttons allow to set a new password, if it is empty, or reset existing password (admins only).
For newly created users, you may check Change password on first logon checkbox to force users to create a new password when application will be launched for the first time.
Is active checkbox allows to temporary disable current user (without deleting it).
To assign roles, use Roles table. Using default controls, add roles which currently edited belongs to. The Is administrative option is intended to simplify the unrestricted access definition and grants all available permissions to a role. If a role is administrative, it is impossible to deny any rights unless the administrative permission was removed. Can edit model checkbox specifies if current role has access to the Model editor.
Working with roles
In the navigation tree, select Default - Role. Start with creating a new role or editing existing one. For example, when BaccS was launched for the first time, two default roles were created: Administrators and Default. As it is clear from its name, administrators has full access to all data. From the other hand, users with Default role do not have access to any data at all. Try to login with the User user name and you will see that navigation tree is almost empty - access rights are fully limited.
Let's open Default role and check its settings:
Both checkboxes are clear and in the Permission policy field Deny all by default value is selected. This means that users with this role won't get access to any data unless you explicitly allow it in the Navigation permissions and Type permissions tabs. You can change Permission policy value to Read only all by default and Allow all by default. In the first case, a user will get access to all data without ability to edit it. In the second case, he/she will get access to all operations. Depending on the selected value here you specify a way of working with Navigation permissions and Type permissions tabs. If default policy dines access by default, than in these tabs you will specifying objects to allow access. And vice versa, if default policy allows access, than in these tabs you will specify object to restrict access to.
The Navigation Permissions allow you to grant or deny permissions for a single navigation item or for the whole navigation group as shown on the image below:
Allowing access to Reference data group will open access to all items in this group with read only rights. Why? By default, permission policy dines all access. After giving access to the Reference data group we expand this policy by giving additional rights. Since we use policy of restriction, given rights allow only to view data, but not edit it.
Item permissions have a greater priority than group permissions. For instance, you can deny access to the group, but grant access for one of its items, so this item will be enabled in the Navigation Panel.
The Type Permissions tab specifies access to all objects of a particular type. The image below illustrates this (in addition to previously granted access to the Reference data group, we open write rights for the Units table):
From now, user with Default role assigned will be able to edit Units table, but won't be able to delete any records from it.
If you wish to quickly fill this table with all object types available in BaccS, instead of manually adding rows one by one, click Pre-fill list of object types button on the ribbon.
Double click on the new type permission to open its editing form:
In this window, you can adjust access rights in detail. In addition to Read, Write, Create and Delete rights you get access to two additional tables: Member permissions and Object permissions.
Member Permissions grant access to specific members of an object. For example, users can have access to objects of a particular type and simultaneously have no access to several members of this type. For other example, it is possible to deny access to objects of a particular type and only allow access to a strict list of its members. It is possible to grant access to multiple properties with a single entry. In the following example, we provide access to customers table, but restrict access to the Default rates table and Default prices column:
When a user will open any customer editing form, he/she will see the following:
Instead of prices, 'Protected content' text is displayed.
As you see, Member permissions table also contains Criteria column. Using this column, you may provide additional conditions for applying particular right. For the example above, you may deny access to prices of one customer and provide access to prices of another customer. Built-in criteria builder will help you to compose necessary criteria:
An Object Permission grants access to object instances that fit a specified criterion. The following image illustrates the Object Permissions tab in the Type Operation Permissions dialog:
Here with fully restrict an access to all customers whose name starts with 'Flying'. In the result, 'Flying Colors' customer fully disappeared from the Customers list:
Created with the Personal Edition of HelpNDoc: Create cross-platform Qt Help files