Database Management groups

Database Management groups allow you to define groups with basic permissions to affect data records or folder objects (sets, queries, and so on), and entire databases or security files.

Database Management groups are defined in the Group dialog:

  • From the Security menu in iBase Designer, select Security Manager and, on the Groups page, click New.
The Permissions page of the Group dialog divides permissions into these areas:
  • Entity/Link Records
  • Folder Objects
  • System Roles

Entity/Link Records

In this area of the Group dialog, you can give the group members permission to manipulate entities and links. This applies only to records that they create. To allow group members to update or delete records that are created by other users, turn on the Update/Delete Records created by other users check box.

Typically, you want to give Add and Update permissions to all data entry staff. You might want to give Delete permission to all data entry staff, which enables them to remove records that they personally created, for example to correct mistaken or duplicate entries. In some cases, you might want to restrict both the Delete and Update/Delete data Created by Other Users permissions to supervisory or senior staff roles.

Folder Objects

In this area of the Group dialog, you can give the group members permission to manipulate folder objects (sets, queries, and so on). This applies only to folder objects that they create. To allow group members to update or delete folder objects belonging to other users, turn on these check boxes:
  • Update/Delete Restricted Folder Objects created by other users (for details of restricted folder objects, see Folder Object Control Groups)
  • Update/Delete Public Folder Objects created by other users
Note: Even if you give a Database Management group every permission in the Entity/Link Records and Folder Objects area, you can still restrict what a user does by making that user a member of other types of group. For example, you can use System Commands Access Control groups to hide some or all of the commands that implement actions of a type enabled in the Database Management group.

System Roles

In this area of the Group dialog, you can give the group members one or more of the administrative roles, or grant them permission to view restricted audit logs. These roles are not modified in any way by the other types of iBase security groups. See Administrative Users for details of the administrative roles.

What users see

In general, users without a particular permission can start iBase and related applications but the affected commands in menus and shortcut menus appear as unavailable (dimmed or gray).

Some affected menu commands, mostly those linked to folder objects (sets, queries, and so on), remain available but, when selected, these commands display a dialog saying that the user has insufficient permissions to continue.
Note: In addition, you can define System Commands Access Control groups and deny commands to hide unavailable commands. See System Commands Access Control Groups.
In the Audit Viewer, users without the Security Administrator system role, see commands as available but are unable to open any log.