Access rights
The IS Tools platform provides an advanced security system to specify who can interact with what and where in the application, on different items:
-
Record group rights (and their tables)
-
Form rights (application forms and system forms)
|
Access rights are connected to roles, and user accounts are given these rights by being placed in one or more of such roles. For this, see Administration of users and roles. So, every time a new role is created, access rights must be granted for record groups, fields and forms; and the new role should be tested by the administrator (by logging in as a user with this new role) to confirm that everything in the application works as it should be (permitted functions, forms, data, etc.). |
The IS Tools access control system is based on an "allow" logic. IS Tools verifies first if the account of the current user is contained in one (or more) roles that allow the desired type of access to a specific item. If at least one role specifies the desired type of access, the user is provided with access to the item. If none of the user’s roles contain a suitable access right, access is denied. Unlike in other access-control systems implemented in commercial software products, in IS Tools there is no explicit "deny" access right. The different access types of users to any form, command button, field, record group or other item are automatically denied, unless explicitly allowed. This type of logic simplifies the design of security schemes within an application, makes it easier to predict the results of a given access scheme, and lessens the risk of inadvertently giving a user an unintended type of access to a specific item.
|
Access rights should always be congruent on all the items, i.e. grant similar rights to record groups, fields and application forms. Incongruence can lead to the following situation, for instance: if a form has Delete rights, a user is still unable to delete the current record, if his/her roles do not have the right to do so with the record. On the other hand, if the form does not have the Delete right, the user will be unable to delete the record even if his/her role has the right to do so. In practice, access rights on records and fields are logical AND-ed with form rights. |
|
Online users will be able to see changes on access rights immediately after reloading forms or refreshing the menu. However, if the online user is granted a new role with rights on a data table not previuosly granted, he/she will have to log out and log in again. |