Folder Object Control groups

You can use Folder Object Control (FOC) groups to control access to queries, sets, and all other folder objects that require restricted access. When a member of a FOC group wants to save a report definition, for example, they can choose to restrict access to themselves and other members of the group. They can also choose to save it as a public or private object if they want.

The user’s viewpoint

In understanding how this type of group works, it is important to consider the user’s viewpoint:
  • A user sees only the Folder Object Control groups in which they are a member. The user can see and change folder objects that are saved with restrictions based on those groups.
  • If there are other FOC groups, the user does not see those groups and cannot directly change objects that are saved with restrictions based on those groups. Depending on database permissions, the user might be able to make the object public.
Here are some design and management ideas:
  • Ensure that at least one administrative user has membership of all FOC groups. This access is required for a full view of the restrictions on folder objects and the ability to change each restriction individually.
  • Do not give the permission Update/Delete Restricted Folder Objects created by other users to non-administrative users if it is important to preserve folder object restrictions. For more information, see Creating mandatory Database Management groups for details.

Managing Folder Object Control groups

In iBase Designer, you use the Security Manager to create Folder Object Control groups, and to declare appropriate users as members of those groups. See Creating the optional types of group for details. The members of the groups define how the groups are used.

You can also delete FOC groups. If you delete a FOC group, you must use iBase Designer to open each database that is secured by the security file before the change is fully applied. What happens in the databases is that the deleted FOC group is removed from all folder objects to which it has been applied. If that FOC group was the only group applied to an object, the object becomes public.

There is no other specific management activity.

Where Folder Object Control groups are stored

The relationship to database contents means that the full definition of a Folder Object Control group is stored in two parts. The name and membership of each group is stored in the security file. The restrictions on members of each group are stored in the database because it is in the database that the folder objects and their linkage to the groups are stored.

If you create a new database from a template based on a database with FOC restrictions, the new database has no folder object access restrictions, but it does have access to the security groups in the relevant security file and any folder objects in the template. This behavior allows you to reproduce the security settings more easily than at first creation.