System Commands Access Control Groups can be used to deny and hide
specific iBase commands to users.
System Commands Access Control groups allow you to:
Deny use of iBase commands that would otherwise be available to users
because of their membership of one or more Database Management groups.
Hide iBase commands and toolbar buttons that are not available because
of a user's membership of one or more Database Management groups.
Where it is not possible to hide these, a message is displayed
You do not have the necessary permissions to perform this action.
Record the user's reason for using a particular command.
Log the use of the command in the audit log.
To display the System Commands Access Control dialog:
Existing security groups are listed in the left of the dialog. See
Creating Groups and Adding
Members if there no groups of
this type defined in the security file.
Note: You can also deny use of iBase functionality to all the users
of the local machine, rather than just to the members of a specific user
group.
Access to basic menu commands in iBase
A user with full database management permissions (such as SYSADMIN)
always has access to the following menu commands in iBase, even when
they are denied access to all the system commands listed in the
following section:
Find, list, and show records
Use iBase Link charts
Create reports
For links, view the valid end types
Lists sets, add records to sets, and view set membership
List labeling schemes and set a default labeling scheme
Search for duplicate and matching records
Examine their user details and the database properties
Set session defaults and change the settings in the Options dialog
Export data to Microsoft Excel using the Excel Interface
Define folder objects as common folder
objects (only of use when there is
a Schema Update license)
Denying access to menu commands in iBase
iBase has several hundred commands including some with very similar names, which would make administration tricky and tedious if you had to make individual decisions for each command. To reduce this complexity, the commands are divided into groups.
- Advanced Analysis
Denies access to Scored Matching, Field Calculator, starting Analyst's Notebook from iBase, sending data to Analyst's Notebook charts, and commands for Mapping Configurations and sending data to maps.
- Alerting
SQL Server databases only: denies access to the commands in the Database Explorer for adding alert definitions. Users are still able to receive alerts.
- Basic Analysis
Denies access to queries, combining sets and analyzing sets, and the Coordinate Query Builder.
- Batch modification
Denies access to commands that affect batches of records: Merge Entities, Batch Edit and Batch Delete.
- Charting
Denies access to all the commands on the shortcut menu in Analyst's Notebook that apply to existing records in an iBase database. For example: users cannot expand records, use the Timeline Wizard, find common neighbors, populate cards, expand records and so on. It also prevents a user from opening Analyst's Notebook while iBase is open. It does not restrict the use of iBase link charts.
Note: Users in Analyst's Notebook can continue to add new records to the iBase database, and add the records created during the session to sets but cannot expand them.
- Charting Schemes
Removes or denies access to the commands for creating, editing, and saving charting schemes, as well to the commands on the shortcut menu for categorizing, listing and renaming them as folder objects.
Note: Users can still send data to Analyst's Notebook for charting and are prompted to select a charting scheme as usual.
- Code lists
Removes the Code Lists command from the Edit menu so that users cannot change items on pick lists or icon lists.
- Create Link/Entity
Removes the commands and toolbar buttons for adding new entity or link records whether using a standard dialog, a datasheet or Analyst's Notebook.
- Database Statistics
Removes the commands for Database Statistics, Database Design Report, and Security Design Report.
- Define Analysis
Users can chart existing queries but they cannot define new queries in iBase or Analyst's Notebook. Also, in iBase, they cannot open, categorize, list or rename queries, or use the Coordinate Query Builder.
- Labeling Scheme
Users can still list the labeling schemes and select a default labeling scheme but they cannot add, delete, edit or rename labeling schemes, alter the contents of a labeling scheme or copy them.
- Report Definitions
Users can still produce reports but they cannot add, edit, delete, categorize, list or rename report definitions.
- Soft Delete
Removes the commands on the Edit menu for restoring and purging soft deleted records.
- Tools
Removes the commands on the Tools menu in iBase for editing the MRU list and activating plug-ins.
- View History
SQL Server databases only: prevents users from displaying the audit history both in iBase and in Audit Viewer. If alerting is used, it prevents users from displaying the alert details.
To deny access to the commands in a command group:
You can inspect the detailed definitions of these groups by looking in a
supplied, unsecured Access database, CommandGroups.mdb. This is in the
application data area of your installation (see Installation and
Application Data Folders for details). The command
groups, their descriptions, and their definitions are in the
_CommandGroup table.
Do not attempt to change these definitions, at least not without
obtaining advice from your supplier. If you make changes to
CommandGroups.mdb, then you need to apply it to the current security
file by selecting Database Setup > Update Command Groups from
the Tools menu.
Recording the reason for an action
You can require the user to enter a reason for using a particular command in iBase, or an iBase command when working in Analyst's Notebook. The reason is recorded in the audit log; however, the records affected by the command are only recorded if you set the audit level of the database to level 5.
- Audit Analysis
Members of this group are prompted to enter a reason whenever they open a database or perform any analysis on iBase records, such as:
Run a folder object such as a browse definition, report definition, query, import specification and so on
Use any iBase command when the database is open in Analyst's Notebook
Use any charting commands when in iBase
Use any mapping commands when in iBase
Use the Field Calculator dialog
Copy data to the clipboard
Export data using the Excel Interface dialog
Use the Coordinate Query Builder
- Audit Charting
Members of this group are only prompted to enter a reason when they work with iBase data on charts, specifically:
- Audit Data Exposure
Members of this group are prompted to enter a reason when they use any command in iBase that may result in data being printed (for example by exporting or reporting); or use iBase data in Analyst's Notebook, or i2 iBase Geographic Information System Interfaces.
- Data Auditing: create, edit, delete
Members of this group must enter a reason for adding, editing, or deleting records before they can save the record. They are also prompted to do this when merging entities, batch editing and deleting, and assigning icons.
To prompt the user to record a reason for an action:
Auditing the commands used
You can record the commands used by a user in the audit log:
The three command groups are identical to the groups on the Reason for
Action page. See above for details of the commands covered by each
group.
What users see
Users do not see the commands that you have denied, so named menus (such
as File) and shortcut menus become shorter, and some submenus might
disappear entirely.
Note: Although some command groups deny commands for listing folder
objects, users can still see which folder objects exist by using the
Details window of the Database Explorer.
