User Restrictions
The User Restrictions is a table (md_user_domain_rls) in the User Management System (UMS). This table defines parameters that restrict a user's access to rows of data.
- The User Restriction represents a record-level security policy by user that is applied consistently throughout PointForce iTopia regardless of what view is used or how the view is customized.
- The User Restrictions uses:
- Database names
- Domain names
- User entered criteria (Values).
- If you are setting up restrictions for Enterprise views, then you should always select the database named 'ibis'.
- What are Domains?
- How do I know which Domains are required for a restriction?
- When defining Restrictions, you can use the Column or Domain views to assist you in selecting the correct Domain(s) and view the tables that the restriction will affect. The Column and Domain views can be accessed by entering md_column or md_domain in the search field and clicking ‘Go’ or through the Metadata Administration menu.
- You can find Domains for specific fields (Client Specific Text) through the Column view and the Domain view by entering text in the Client Specific Text field of either view and initiating the search. When entering Client Specific Text you should consider using wild cards or several iterations of the same text (separating each input by a comma) as there may be variations that point to different Domains.
- The difference between using the Domain or Column view to search for Domains is that the Column view will display the tables that the Domains are associated with for the entered search value(s).
- For example, if you are restricting a user to a specific warehouse(s), you can enter 'whse','warehouse' in the Client Specific Text field of the Column view. When the search results are returned, any Client Specific Text that contains the entries is displayed. Using this method will further guarantee that you will capture all of the Domains required for the Restriction.
- In the table below, the Domain name 'whse' points to different Client Specific Text that refers to a warehouse field within various tables, however the Domains 'salwar' and 'saht' also point to Client Specific text that refers to a warehouse field:
Table Name |
Column Name |
Client Specific Text |
Domain |
obbh |
whse |
Warehouse |
whse |
icbu |
whse |
Whse |
whse |
icms |
whse |
Whse |
salwar |
saht |
saht_1 |
Whse |
saht |
- When setting the Restriction you need to create a record for each Domain so that the assigned user obtains the proper restrictions for the Columns across all tables/views.
- The 'Value' that you enter restricts the user to viewing only data that pertains to the value entered. Since we are using Warehouse as our example, you can enter a Warehouse code in the Value field and the user will be restricted to viewing data that pertains to only that Warehouse code.
- Example of a Restriction:
- The user 'janedoe' is set up to access views for the files obbh, icbu, icms and saht.
- Because these files are set up with 3 Domain names for Warehouse, we must set up 3 restrictions (one for each Domain).
- We only want 'janedoe' to be able to access Warehouse 10.
- To achieve this, the User Restriction must be set up with the following 3 restrictions:
|
Restriction 1 |
Restriction 2 |
Restriction 3 |
User |
janedoe |
janedoe |
janedoe |
Database |
ibis |
ibis |
ibis |
Domain |
whse |
salwar |
saht |
Value |
10 |
10 |
10 |
Mandatory Restriction: Even though you can add many restrictions to users, every user must have an ibis_client Domain restriction set up so that the user can only access data that pertains to your iTopia environment. Even though your site is secure, this is an extra layer of security.
- In order to restrict users to viewing data that pertains to only your iTopia environment for all views, you must enter a Domain Name of 'ibis_client' with the associated Value entered as {session.ibis_client}.
-
This restriction relates back to the User Master-Attribute module. In the Attribute module, every user is assigned an Attribute Key that defines the client code that the user can access. The {session.ibis_client} Attribute Key is the one that defines the iTopia environment accessible for each user.
- When you assign {session.ibis_client} as the value for the 'ibis_client' domain, the system refers to the User Master-Attribute module for the user and identifies the Attribute Value that is associated with the {session.ibis_client} Attribute Key. The value indicates the client code that the user has access to, and this client is all that the user can gain access to in PointForce iTopia.
Tip: If your company has multiple companies in PointForce Enterprise and you want to restrict users to a specific company for all views, the Domain Name must be entered as 'compny' and the associated Value is {session.company}.
- This restriction relates back to the User Master-Attribute module. In the User Master-Attribute module, every user is assigned an Attribute Key that defines the companies that the user can access. The {session.company} Attribute Key is the one that defines the companies for each user.
- When you assign {session.company} as the value for the 'compny' domain, the system refers to the User Master-Attribute module for the user and identifies the Attribute Value that is associated with the {session.company} Attribute Key. The value indicates the company or companies that the user has access to and this company (or multiple companies) is all that this user can access in PointForce iTopia.
- When setting up this restriction, ensure that the Attribute Value associated with the Attribute Key {session.company} is NOT an asterisk (*).
The following list defines every field available in the user restrictions (md_user_domain_rls) table in alphabetical order:
- Created By - the name of the user who created the record you are viewing or maintaining. You cannot edit this field.
- Created On - the date on which the record that you are creating or maintaining was created. you cannot edit this field.
- Database Name - displays the database name associated with the restriction.
- Domain Name - displays the domain name associated with the restriction.
- Modification Counter - this field is not maintainable. The date and time a given record was last modified.
- Modified By - this field is not maintainable. The user or system process that last modified a given record
- Modified On - this field is not maintainable. The date on which the record you are attempting to retrieve or maintain was last modified.
- Read Criteria Value - a QBE expression, including macros, that represents the value to which the user is restricted when viewing records.
- User Name - the user to which the restriction applies.
- Write Criteria Value - a QBE expression, including macros, that represents the value to which the user is restricted when creating, editing or deleting records.
For the functionality of each action (i.e. button) available on this view, refer to the About the Actions
topic.
|