Configuration data for system user dynamic authentication
In the case of dynamic authentication modules, the system user assigned to the employee is not used for the log in. The system user which is configured using the user interface special configuration data is taken instead.
To specify configuration data
- In the Designer, select the Base data | Security settings | Programs category.
- Select the application and adjust the Configuration data.
Use XML syntax for entering the configuration data:
<DialogUserDetect>
<Usermappings>
<Usermapping
DialogUser = "System user name"
Selection = "Selection criterion"
/>
<Usermapping
DialogUser = "System user name"
/>
...
</Usermappings>
</DialogUserDetect>
Enter the system user (DialogUser) in the Usermappings section. Specify which employee the given system user should use with the selection criterion (Selection). You are not obliged to enter a selection criterion for the assignment. The first system user that has the required assignment is used for the log in.
You can assign function groups to permissions groups on order to deal with complex rights and user interface structures. The function groups allow you to map the functions an employee has in the company, for example, IT controller or branch manager. Assign the function groups to the permissions groups. A function group can refer to several permissions groups and several function groups can refer to one permissions group.
If the FunctionGroupMapping section is in the configuration data, this is evaluated first and the system user that is found is used. The authentication module uses the system user that is the exact member of the permissions group found for the login. If none is found, the Usermapping section is evaluated.
<DialogUserDetect>
<FunctionGroupMapping
PersonToFunction = "View mapping employee to function group"
FunctionToGroup = "View mapping function group to permissions group"
/>
<Usermappings>
<Usermapping
DialogUser = "System user name"
Selection = "Selection criterion"
/>
...
</Usermappings>
</DialogUserDetect>
Related topics
Example of a simple system user assignment
All employees should be able to see the user interface for an IT Shop in a web front-end, without taking table and column permissions into account.
To do this, set up a new application, for example WebShop_Customer_Prd, and adapt the configuration data as follows:
<DialogUserDetect>
<Usermappings>
</Usermappings>
</DialogUserDetect>
Create a new WebShop_Customer_Grp permissions group, which receives the user interface for the application comprising the menu items, interface forms and task definitions. The user interface could consist of the following menu items:
- Employee contact data
- Requesting a product
- Unsubscribing a product
Define a new dlg_all system user and include it in the vi_DE-CentralPwd, the vi_DE-ITShopOrder, and the WebShop_Customer_Grp permissions groups.
Related topics
Example of a system user assignment using a selection criterion
The scenario described in the previous example is extended such that only the cost center manager can see an employee’s leaving date. You need to add the input field LeavingDate to the contact data form to do this.
Permissions are used for controlling viewing and editing. Set up a new dlg_kst system user and include the system user in the vi_DE-CentralPwd, vi_DE-ITShopOrder and WebShop_Customer_Grp permissions groups. You should also give the system user read and write access to the Person.Exitdate column.
Extend the application configuration data in such a way that the cost center managers use the dlg_kst system user to log in. All other employees use the dlg_all system user to log in.
Change the configuration data as follows:
<DialogUserDetect>
<Usermappings>
<Usermapping
DialogUser = "dlg_kst"
Selection = "select 1 where %uid% in (select uid_personhead from profitcenter)"
/>
<Usermapping
/>
</Usermappings>
</DialogUserDetect>
Related topics
Example of a function group assignment
To assign function groups to permissions groups you have to define two database views. The first database view shows the assignment of employees to function groups. The database view contains two columns, UID_Person and FunctionGroup.
Example:
create view custom_Person2Fu as
select uid_personHead as UID_Person, 'Cost center manager' as FunctionGroup
from Profitcenter
where isnull(uid_personHead, '') > ' '
union all
select uid_personHead, 'Department manager' as FunctionGroup
from Department
where isnull(uid_personHead, '') > ' '
The second database view assigns function groups to permissions groups. This database view contains two columns, FunctionGroup and DialogGroup.
Example:
create view custom_Fu2D as
select 'Cost center manager' as FunctionGroup, '<UID_Custom_Dialoggroup_ChefP>' as DialogGroup
union all select 'Department manager', '<UID_Custom_Dialoggroup_ChefD>'as DialogGroup
Set up role-based permissions groups with the required permissions.
TIP: A role-based permissions group can inherit from a non role-based permissions group. This allows you to build up an inheritance hierarchy to making it easier to grant permissions.
Change the configuration data for assigning function groups to permissions groups as follows:
<DialogUserDetect>
<FunctionGroupMapping
PersonToFunction = "custom_Person2Fu"
FunctionToGroup = "custom_Fu2D"
/>
</DialogUserDetect>
Related topics