Multi-group Support: security profile extensions

Note: See User / Groups for details about how Vitalware specifies user permissions and how to assign users to more than one group.

The Vitalware server security profiles have been extended to provide support for multiple groups per user. The profiles are maintained in XML format in a file named security in the database directory. Two new attributes have been added to the <user> tag to provide support for multiple groups:

  • level

    The level attribute defines a label for the user profile. By changing the value of the level label for a given user, a different set of security settings is enabled. The group name is used as the label value for Vitalware databases. To switch between groups the Vitalware client changes the level value to match the group of the module with focus, that is, the module with which the user is interacting.

  • Default

    A "yes" value indicates this set of security settings should be used if the client has not set a level value. When the Vitalware client first connects, a level has not been set as the Vitalware Registry has not yet been consulted (a chicken and egg problem). Once the Registry can verify the login group, the level is set to the supplied value.

A user security profile is created for each group that a user is registered to use (via the User|user|Group Registry entry). If user badenov has the following Registry entry:

Key User
Key 1 User
Key 2 badenov
Key 3 Group
Value Mail Room;Counter

the following XML security segments are generated:

<user name="badenov" level="Mail Room" default="yes">
 ... 
</user>
<user name="badenov" level="Counter">
 ...
</user>

The security profiles are built by the vwsecurity command. This server-side command consults the Vitalware Registry and builds suitable security profiles for all modules, for all users, for each group a user is in. The command is invoked automatically whenever a User|user|Group Registry entry is created, modified or deleted. vwsecurity sets the Default attribute to "yes" for the first group listed for each user.

The security level is set via the seclevel database option. The value of the option is the security level to use. If the option has not been set or the value is empty, the security profile with the default="yes" attribute specified is used. For example, to load data into the parties module using group Counter the following commands could be used:

epartiesopts=seclevel=Counter
export epartiesopts
texload ....

When using TexAPI, the seclevel is set via the TexOptionSet() call. For example, to change the security level to use group Counter for all Vitalware tables, the following call could be used:

TexOptionSet(session, NULL, "seclevel", "Counter");

For perl based scripts, the OptionSet() call is used to alter the security level. For example, to change the security level to use group Counter for all Vitalware tables, the following call could be used:

$session->OptionSet("", "seclevel", "Counter");

The seclevel option may be set on a per database basis or a system wide basis.