Setting up Data Access Control groups

A Data Access Control ( DAC) group controls permissions related to entities, links, and fields in each database. This allows a very fine control of how individual pieces of data are made visible to, or modifiable by, groups of users.

About this task

Data Access Control Group Permissions control:

  • Denying access or modification to all records for a particular entity type or link type.

  • Hiding administrative fields in records or making administrative fields read-only to certain groups of users.

  • With SQL Server databases only, making selected records of various entity types or link types inaccessible according to the security classification code (SCC) given to each record.

Data Access Control is specific to each database in which it is defined. Consider carefully how you might want to use a scheme using this type of conditional access.

Important: After making changes to a Data Access Control group in a database that uses alerting, log off and then reopen the database as soon as possible, in either iBase or iBase Designer. This applies the security changes to any existing alert definitions.

Procedure

  1. Open a database.

  2. Select Security > Data Access Control.

  3. Use the Security Manager dialog to create one or more Data Access Control groups, and assign users as members of those groups.

  4. Open the Data Access Control dialog. The dialog has two main areas, a list of security groups on the left and a tabbed area on the right, with tabs for:

    • Tables

      List of checkboxes and names of all the entity types and link types in the database. Each name is of the form Type: Name, to show which type it represents. For example, the names might include Entity: Account.

      If a checkbox is turned on then the named table (all records of that named entity or link type) or field is denied to members of the selected security group.

    • Fields

      List of checkboxes and names for all the fields of all the entity types and link types in the database. Each name is of the form TypeName: FieldName, to show which entity type or link type contains the field. For example, the names might include Account: Account Type. In these pages, standard fields appear separately for each entity or link type and you can control the appearance of each standard field independently.

      Important: You are warned if you deny access to a mandatory field (or if you make a denied field mandatory). If you choose to deny access to this field (or make a denied field mandatory), you prevent members of the group from adding records of the entity or link type.

      If a checkbox is turned on then the named field is denied to members of the selected security group.

    • Read-Only Tables

      If a checkbox is turned on then the named table (all records of that named entity or link type) or field is made protected from change by members of the selected security group.

    • Read-Only Fields

      If a checkbox is turned on then the named field is made protected from change by members of the selected security group.

    • Security Classification Codes

      List of checkboxes and names for all classification entries in all SCC code lists defined in the database.

      If a checkbox is turned on then all records with that classification are denied to members of the selected security group. (If any classification name appears in more than one SCC list, the denial of records applies to all records with that classification regardless of the list in which it appears.)

    Note: If you have opened an Access database, the dialog does not display the Security Classification Codes tab. This is because iBase does not support this form of control for Access databases. For this reason, there is some duplication of contents in these tabbed pages.

  5. To view the current configuration or to configure a group, first select the group in the Security Groups list. Then click each tab to see the entries where the checkboxes are turned on and, if you want to, turn on or off various entries.

  6. Save the changes.

Results

The specified access will be applied.

Note: The relationship to database contents means that the full definition of a Data Access Control group is stored in two parts. The name and membership of each group is stored in the security file. The restrictions on members of each group are stored in the database.

To apply the same control to another database controlled by the same security file, open that database and with the window of that database active, enter the Data Access Control dialog. Your security groups will already exist so you need only turn on the same checkboxes to apply the same security.