COM-FSM
Register

Page statistics

0 view(s) 0 edit(s) 0 characters(s)

Administration

Page last modified 04:52, 5 Sep 2008 by Admin
    Table of contents
    1. 1. Overview
    2. 2. Accounts
    3. 3. Forms
    4. 4. Form Groups
    5. 5. Reports

    Version as of 01:12, 21 Apr 2024

    to this version.

    Return to Version archive.

    View current version

    Overview

    Security for the student database is integrated with the LDAP support for e-mail and other services that can use LDAP for authentication. Users of the student database need an LDAP account configured with the database service, and permissions to access forms.

    The password for all services associated with an LDAP account are the same, which introduces some restrictions on where management of accounts can occur. Each LDAP service is defined with an access level that affects which forms can manage which accounts. The E-Mail Account form, for example, will not allow management of an account with access to the student database. This prevents a low-authorization user from setting a password (and then using) an account with more access.

    Accounts

    Each person in the database can have multiple LDAP accounts. Access to the student database can be managed either through the Database User or LDAP Account forms. Both can create and manage LDAP accounts and the database service.

    Database users must also have their access defined in terms of what forms they have access to, and what type of access they need to these forms. The User Access form is used to manage this information, which is expressed in terms of form groups, or individual forms.

    Revoking access can be accomplished either by disabling or deleting an account's database service. The change is immediate.

    Forms

    Each form is defined with a code, label, description, and URI. The list of database objects (tables, views, etc.) that the form requires, and what privileges on each object must also be specified. The server-side code checks each interaction with a form to verify that the requested action is allowed for the data being managed. Form and Form Objects can be used to manage this data, but it is typically defined and maintained by form developers when forms are added or modified.

    Form Groups

    The hundreds of data entry forms that exist in the student database are organized into functional groups to assist with provision of access to users. Rather than having to specify each individual form that each user needs, it's possible to specify them by group.

    Each form group specifies a list of forms and overall permissions for the group. There is a group called VALID.V, for example, that allows viewing of all validation tables. It is configured with select access, but not insert, update or delete; this allows viewing of data but no modification. The Form Groups form can be used to manage these groups, but they are typically defined and maintained by form developers when forms are added or modified.

    The User Access form is used to assign form groups to users. It can also be used to extend or revoke access to individual forms.

    Reports

    Each report is configured with a code, description, and URI. The list of parameters used by each report are specified with a name, whether a parameter is optional, and any default for each parameter.

    Access to reports is controlled by access to the forms they are requested from. No additional user-specific security restrictions are imposed.
    Powered by MindTouch Core