Hi, I want to design a refined level of access through roles and ACL. There are say five departments and nearly 50 to 70 employee’s constitute each department. Hence i’ve created groups for each department. Now let us consider one such group called the “Administration”. For our example we will consider just 4 employee to constitute that group. Two of them have complete access to all the design elements of the database including ACL. The other two members have access to a few design elements. Let us consider 5 forms with which documents can be composed and 5 different views. Out of the 4 employees, one has just read access to 3 views, but can compose documents with all the five forms. And One member has no access to these three views, and can only compose documents using 3 forms(restricting access to 2 forms).
How can we refine this kind of access, if they are put into a group? And how can we incorporate roles into it to refine the access?
One more thing is I don’t want to add the individuals directly in the ACL and award them with the different access and roles to enact this setup.
Plz, Help.
Best Regards,
Brian.
Subject: ACL and Roles
Such a refined access control can best be achieved using roles.For every “thing” you want to protect separately, you need a role.
Example: if 3 views are only to be used by people with “admin” access, you can protect those views with a single role. If different combinations are possible, you must use a role for each view.
That way, you can create groups for each role and put people who need that role into it.
Drawback: people will probably be in different groups at the same time.
Subject: ACL and Roles
I am assuming that you do not mean that you want the users to have designer access to the elements, because if this is the case they will need Designer access in the ACL and have those rights to all Design elements. As has previously been stated for each Object or group of objects that you want to control access to then you will need a separate Role for each one. Remeber that the groups are only used to determine access when the User first opens the DB. Once the user is into the DB you do not know what group they were granted access through. This is so because rights are cummulative. If a person belongs to Three different groups in the ACL Say Group1 Reader, Group2 Author, Group3 Editor then the person will come into the DB with Editor Access. If a Role is associated with each of the Groups then the user will have all three roles. UNLESS the user is explicitly identified in the ACL. So taking the example above if the user is “Charlie Brown” and is listed in the ACL as Manager then the access will be as manager, but with NONE of the Roles unless the those Roles are specifically associated with the individual.Hope that this helps, ACL’s are really pretty straight forward once you understand the rules. One more thing make sure the Group Type is set correctly if a server is listed in a Person Group it will have no rights from that group.