Access rights
The IS Tools platform provides an advanced security system to specify who can interact with what and where in the application, on different items:
|
Access rights are connected to roles, and user accounts are given these rights by being assigning them one or more roles. For this, see Administration of users and roles. Every time a new role is created, access rights must be granted for record groups, fields and forms. A good practice is to test the new role by logging in as a user with this new role, to confirm that access rights are applied as expected. |
How access rights are applied
IS Tools uses an "allow" logic for access control. By default, users have no access to items unless explicitly allowed.
-
When a user tries to perform an action, IS Tools checks the user’s roles.
-
If at least one role grants the required right, the user is allowed access.
-
If no role grants the required right, the user is denied access.
Unlike some other systems, IS Tools does not use an explicit "deny" right. This approach has several advantages:
-
Makes access rights easier to reason about
-
Makes the effects of adding or removing a role more predictable
-
All of which reduces the risk of accidentally granting unintended permissions
|
Logged-in users will be able to see changes on access rights immediately after reloading forms or refreshing the menu. However, if the user is granted a new role, they will have to log out and log in again before the new role is applied to their session. |