You’re offline. This is a read only version of the page.
40
hi
We need to make all Data Entities readonly for all users and allow write access to some users and some entiries. Is this something possible out of the box or with minimum customization?
The only thing I can think of is create a table that will contain a list of roles and allowed dataentities. In DMFWriter class hopefully there will be a hook were we can throw error if the user role - entity does not exist for the new table.
Hi Harry,
Your understanding is incorrect. Let me try to explain it in a different way. When adding an entity to a privilege, you can set access permissions for Read, Create, Update and Delete separately. For each access type, you can have access as: Unset, Grant and Deny. They are listed in priority. Unset would mean that there is no decision taken. Then another security object might have the permissions for access type.
If you have a "view" privilege, you would need to have set Grant for Read and all others should be Unset, not Deny.
For a 'maintain' privilege, you can then set them all to Grant. When a user then as both privileges via the same or different roles, the maximum will be applied which is in case of maintain Grant for all access types.
Only when you would have a security object with Deny permissions, then indeed this has the highest priority and this will ensure that a user will never have the permissions, even when Grant was used.
For your scenario, in this case, you should only work with Unset and Grant.
Let us say a user has accountant role and purchase order maintainance role (just making up example). Accountant role allows write access to an entity but all other roles will only have read access.
In this case if we use standard framework then accountant will lose write access. (because the user has PO maintainance role which has read only access).
There are also other concerns that I raised above.
Hi Harry,
I'm not able to understand your reply. Why are you mentioning 'deny' privilege? This is not required when you are using read only permissions on entities via privileges. Deny has the priority over granting access. So, indeed if you are using this, users will never get write access if they have another role with 'deny'.
You now add a variable called 'validation after update'. This is what you would need to do anyway. Without adding permissions for new entities, the users will not have access. What is the business reason to provide a user read permissions to all data entities?
I would recommend using the standard security options as I mentioned in my previous reply and not try to hook in on the DMFWriter class with custom coding.
Sorry should have mentioned earlier. We looked at creating new privilege however that is too much of a task. We will need to do a validation after each upgrade/quality update. Another issue is we will need to add this 'deny' privilege to each role and this privilege needs to work with highest level. For e.g. Say a user has role 1 and role 2. Role 1 has the access and Role2 it is denied using our new privilege then User will need to have the access. This will not work using the security framework.
Hi Harry,
This can be achieved with security permission settings. For each data entity, there are two privileges: Maintain .... data entity and View .... data entity. You can create a duty with all privileges containing the View permissions. In addition, you can create specific duties and link the desired maintain privileges for specific roles.
If it would be too hard to find all related view privileges for the data entities, you can also create one new privilege and add all entities with read-only permissions.
Related blog post: What are the options for securing data projects - Dynamicspedia
#1
André Arnaud de Cal...
291,969
Super User 2025 Season 1
#2
Martin Dráb
230,842
Most Valuable Professional
#3
nmaenpaa
101,156
Share
Report
All responses (
Answers (
