NOTE: If a user is in multiple groups, the highest access rights will be applied to them. For example, if a user is in one group that has read-only access to a field and in a second group that has full access, the user will have full access to the specified field.
This isn’t working at table level though:
I have 2 groups:
group 1 has read, insert, update, delete on Table A;
group 2 has read only on Table A;
Two users:
User 1 is member of group 1 and is ok;
User 2 is member of both groups but he cannot write or update Table A.
Servoy 2.2rc6 Dev and Client
Mac and Win (Java 1.4)
hmmm, What the manual tells you is not how I work with it. As far as I know it is the lowest level that set the rights. Although I must be honest I only do these settings on elements and not on the table.
I have for example a group ‘useredit’. This group DOES NOT give the right to edit.
When I don’t allow a user to edit a record he is a member of the group on top of the rest. That user now has no rights to edit, not matter what the rest of the rights are…
Anyway, I really hope this is intentional behavior and it doesn’t change otherwise I would have a serious issue
IT2BE:
I have for example a group ‘useredit’. This group DOES NOT give the right to edit.
Anyway, I really hope this is intentional behavior and it doesn’t change otherwise I would have a serious issue
It would be a big limit though. I have a solution where different groups do different things and following the manual there would be no problem having a user in two groups and let him do both functions but if things work the other way it would be impossible.
An example: I have a Warehouse group who does inventory, label printing and others warehouse-related things and a Technicians group who test the newly arrived products but don’t have to do inventory; I have a particular user who is a technician that sometimes when small shipments arrive does the inventory and the test all toghether, if the manual is right is as easy as adding this user to both groups but the other way around I’d have to create a third group Warehouse+Tech with special privileges.
It would be a big limit though. I have a solution where different groups do different things and following the manual there would be no problem having a user in two groups and let him do both functions but if things work the other way it would be impossible.
Not true, you have to think the other way around. One that has all rights is part of NO group. Every group gives an extra limit. As simple as that but you have to reset your paradigms for this one
It would be a big limit though. I have a solution where different groups do different things and following the manual there would be no problem having a user in two groups and let him do both functions but if things work the other way it would be impossible.
Not true, you have to think the other way around. One that has all rights is part of NO group. Every group gives an extra limit. As simple as that but you have to reset your paradigms for this one
I don’t agree.
Anyway Servoyans any official comment?
Please Servoy Staff, can you reply on this one? I really need to know how security and privileges are supposed to work before I build all my security system. Is this a bug or is the manual wrong? Need an official statement.
group 1 has read, insert, update, delete on Table A;
group 2 has read only on Table A;
Two users:
User 1 is member of group 1 and is ok;
User 2 is member of both groups but he cannot write or update Table A.
Some thoughts:
– Is it possible that a method is run at some point that removes user 2 from group 1? (And then perhaps restores User 2 to Group 1?)
– Or a method has come into play that controls access for a particular form, or the like, and is overriding the base security settings?
– Is it possible that the security configuration on the back end (or domain security on the server Table A lives on) is conflicting with the privileges of User 2 that you established in Servoy?
– When you say “he cannot write or update Table A” is the insert or update process part of a method? If so, what is returned by getUserGroups if you log in as that user and run this function as a check after the insert or update fails?
– If a method is involved, would User 1 and User 2 be running the same exact code, or does your code branch based on user/group parameters?
–Again, if a method is involved, have you logged in as User 2 and watched debugger?
CAVEAT: I have little/no experience in using methods to control/revise security settings, nor do I have a good understanding of what happens if your Servoy security settings conflict with external security settings (back end, domain), etc. So take some of the above thoughts with “a grain of salt” because at best I am speaking as an intuitive troubleshooter and at worst, as we so nicely put it here in the States, I am talking out of my a**!
Nevertheless I hope this might be some good food for thought.
– Is it possible that a method is run at some point that removes user 2 from group 1? (And then perhaps restores User 2 to Group 1?)
No, no methods.
kazar:
– Or a method has come into play that controls access for a particular form, or the like, and is overriding the base security settings?
Nope.
kazar:
– Is it possible that the security configuration on the back end (or domain security on the server Table A lives on) is conflicting with the privileges of User 2 that you established in Servoy?
No, servoy is accessing the Backend with full privileges.
kazar:
– When you say “he cannot write or update Table A” is the insert or update process part of a method? If so, what is returned by getUserGroups if you log in as that user and run this function as a check after the insert or update fails?
No, the updates and inserts are done manually and yes the user is listed on the appropriate groups.
kazar:
– If a method is involved, would User 1 and User 2 be running the same exact code, or does your code branch based on user/group parameters?
–Again, if a method is involved, have you logged in as User 2 and watched debugger?
No method involved, no code to be run, nothing to debug.
The problem here is to know the official statement of Servoy Staff.
My point of view is that things should work as stated in the manual, IT2BE point of view is on the opposite side, it’s not a right or wrong thing, it’s just about personal preference and different way of thinking. The problem is that one of us will have to rewrite a lot of code…
group 1 has read, insert, update, delete on Table A;
group 2 has read only on Table A;
Two users:
User 1 is member of group 1 and is ok;
User 2 is member of both groups but he cannot write or update Table A.
Some thoughts:
1-- Is it possible that a method is run at some point that removes user 2 from group 1? (And then perhaps restores User 2 to Group 1?)
2-- Or a method has come into play that controls access for a particular form, or the like, and is overriding the base security settings?
3-- Is it possible that the security configuration on the back end (or domain security on the server Table A lives on) is conflicting with the privileges of User 2 that you established in Servoy?
4-- When you say “he cannot write or update Table A” is the insert or update process part of a method? If so, what is returned by getUserGroups if you log in as that user and run this function as a check after the insert or update fails?
5-- If a method is involved, would User 1 and User 2 be running the same exact code, or does your code branch based on user/group parameters?
6–Again, if a method is involved, have you logged in as User 2 and watched debugger?
7 CAVEAT: I have little/no experience in using methods to control/revise security settings, nor do I have a good understanding of what happens if your Servoy security settings conflict with external security settings (back end, domain), etc. So take some of the above thoughts with “a grain of salt” because at best I am speaking as an intuitive troubleshooter and at worst, as we so nicely put it here in the States, I am talking out of my a**!
Nevertheless I hope this might be some good food for thought.
kazar
yes, see add/removeUserFromGroup the security node in scripteditor
not possible, all is group driven
yes, Servoy Server does not relate dabase connection access to the security (It uses database connection in a pooled way!), so unless the connection access applies to all users it is not usefull in a 3 tier env.
getUserGroups returns a list of groups the user is member of
yes, if you make the branches with IF it will branch… (?)
yes, see add/removeUserFromGroup the security node in scripteditor
not possible, all is group driven
yes, Servoy Server does not relate dabase connection access to the security (It uses database connection in a pooled way!), so unless the connection access applies to all users it is not usefull in a 3 tier env.
getUserGroups returns a list of groups the user is member of
yes, if you make the branches with IF it will branch… (?)
?
Hi Jan, can you comment on the original post? How Servoy table-level security is supposed to work? As stated in the manual or the other way around?
Is what I found a bug?
NOTE: If a user is in multiple groups, the highest access rights will be applied to them. For example, if a user is in one group that has read-only access to a field and in a second group that has full access, the user will have full access to the specified field.
This isn’t working at table level though…
Its indeed only working correctly, only when the security update button for a table in all groups is used it works…will be fixed in Servoy 2.2 rc8