|
AdministrationTable of contents
OverviewSecurity for the student database accounts is integrated with LDAP support for e-mail and other services that can use LDAP for authentication. Users of the student database need an account configured with the database service, combined with permissions to access data entry forms. All services associated with each LDAP account share the same password, which introduces some restrictions on where management of accounts can occur. Each LDAP service is defined with an access level that affects which forms can manage which accounts. Accounts configured with services having a high access level are not manageable from forms designed to manage lower-level services. The E-Mail Account form, for example, will not allow management of an account with access to the student database (a service with a higher access level). This is necessary to prevent a low-authorization user from changing the password and then using an account with more access. AccountsEach person in the database can have multiple LDAP accounts. Access to the student database can be managed either through the Database User or LDAP Account forms. Both can create and manage LDAP accounts and the database service. Database users must also have their security defined in terms of what forms they have access to, and what type of access they need to these forms. The User Access form is used to manage this information, which is expressed in terms of form groups, or individual forms. Revoking database account access to can be accomplished either by disabling or deleting an account's database service. The change is immediate. FormsEach form is defined with a code, label, description, and URI. The list of database objects (tables, views, etc.) that the form requires, and what privileges on each object must also be specified. The server-side code checks each interaction with a form to verify that the requested action is allowed for the data being manipulated, e.g. whether a form is allowed to update information from table x. Form and Form Objects can be used to manage this data, but it is typically defined and maintained by developers when forms are added or modified. Form GroupsThe hundreds of data entry forms that exist in the student database are organized into functional groups to assist with provision of access to users. Rather than having to specify each individual form that each user needs, it's possible to specify them by group. Each form group specifies a list of forms and overall permissions for the group. There is a group called VALID.V, for example, that allows viewing of all validation tables. It is configured with select access, but not insert, update or delete; this allows viewing of data but no modification. The Form Groups form can be used to manage these groups, but they are typically defined and maintained by form developers when forms are added or modified. The User Access form is used to assign form groups to users. It can also be used to extend or revoke access to individual forms. ReportsEach report is configured with a code, description, and URI. The list of parameters used by each report are specified with a name, whether a parameter is optional, and any default for each parameter. Access to reports is controlled by access to the forms they are requested from. No additional user-specific security restrictions are imposed. |