Menu
▾
▴
AccessControl
Anonymous
Access Control
The groups are to be used for the access control as follows.
Each user can have permissions in many groups. Read permission is needed to see data belonging to the group. Writing data needs write permission. Modifying data needs both read and write permissions. A master bit permission means that the user can give or retract the user permissions in this group. the permissions are stored in the UserGroupPerm table. There cannot be more than one record for a given pair of a user and a group, and at least one of the permission bits should be true in that record.
Each piece of data (i.e. each row in the Base table of the database and corresponding rows in the derived tables) has one or more links to groups, in other words, data belong to some groups. Absence of a link to groups is an error and should lead to the data record deleting.
The link of a data record to a group means that there is a record in the DataGroup table with the data id and the user id.
A piece of data can be shown to a user only if there exists a group which contains the piece of data and the user has a read permission in this group.
A special group Public is used to denote the data which is publicly viewable. A user doesn't need to have any rights in this group in order to see the data in it.
Another special group is already mentioned Admin. It contains data from the tables DataGroup, UserGroupPerm, and LinkType. Only administrator or a user with read and write permissions in Admin group cam modify data in these three tables, while adding of a new LinkType record is possible for a user with a write permission in some group.
The groups with write permission can be put on the desktop. All new data will belong to all groups shown on the desktop by default, though user can remove some of the groups when adding data. Data of classes DataGroup, UserGroupPerm, and LinkType are an exception, they always are added to a special group Admin.
Of course, an existing data can be added to more groups and removed from some groups, though those are separate operations.
The administrator has full control on all data and all user permissions.
Uses of Access Control
There might be more than one ways to use Access Control.
An obvious way is to use it for separating data belonging to different organizations or units. There might by relations between the units like information provider and consumer, when one unit can write data and the other can only read.
Another use case is using the Access Control for grouping information according to aim or project. All users can read and write in all groups, but the information is easier to find limiting the search to a known project. In the same way, the search can help in estimation of what has been measured in the frame of some research project.
