|
|
openCRX Security
Version 1.7.1
www.opencrx.org
The contents of this file are subject to a BSD license (the "License"); you may not use this file except in compliance with the License.
You may obtain a copy of the License here
- Table of Contents
- 1. About this Book
- 2. Prerequisites
- 3. Introduction to role-based security
- 4. Permissions
- 5. Real World Example
- 6. Next Steps
- A. Appendix
- Bibliography
- List of Figures
- 3-1. Role-based Security
- 3-2. Role-based Security Concept implemented by openCRX
- 4-1. UML Model SecureObject (Extract)
- 4-2. System Attributes of an openCRX Object
- 4-3. Example Security Organization with 9 UserGroups and 9 Users
- 4-4. Example Data with 6 Objects
- 4-5. Access Permissions of User admin-Standard
- 4-6. Access Permissions of User head-Sales
- 4-7. Access Permissions of User salesrep1
- 4-8. Access Permissions of User salesrep2
- 4-9. Access Permissions of User salesrep3
- 4-10. Access Permissions of User salesrep4
- 4-11. Access Permissions of Users head-Accounting, accountant1, and accountant2
- 5-1. Organizational Chart
- 5-2. User Groups and Users
- 5-3. Newly created Principal ceo
- 5-4. Contact ceo
- 5-5. Grid Users / User Groups with newly created Local User Groups
- 5-6. Create User ceo
- 5-7. Grid Users / User Groups with newly created Users
- 5-8. Principal ceo after creating User ceo
- 5-9. Matrix showing User Group memberships of all Users
- 5-10. User Group memberships of User ceo
- 5-11. Default Security Settings of Contact created by ceo
- 5-12. Permissions on Contact created by ceo
- 5-13. Security Settings of Contact created by ceo after adding Standard\\Sales
- 5-14. Permissions on Contact created by ceo after adding Standard\\Sales
- 5-15. Security Settings of Contact created by ceo after removing all Owning Groups
- 5-16. Default Security Settings of Contact created by sales-repA1
- 5-17. Permissions on Contact created by sales-repA1
- 5-18. Security Settings of Contact created by sales-repA1 after adding Standard\\Sales
- 5-19. Permissions on Contact created by sales-repA1 after adding Standard\\Sales
- 5-20. Security Organization with "readonly" Option for Sales
- 5-21. Newly created User Group Sales-readonly is a member of Sales-super
- 5-22. Default Security Settings of Contact created by sales-repA1 (no sharing)
- 5-23. Security Settings of Contact created by sales-repA1 (readonly sharing)
- 5-24. Permissions on Contact created by sales-repA1 (readonly sharing)
- 5-25. Security Organization with co-operating Sales Teams
- 5-26. Making SalesTeamA a member of Sales
- 5-27. Default Security Settings of Contact created by sales-repA1 (co-operating sales teams)
- 5-28. Permissions on Contact created by sales-repA1 (co-operating sales teams)
Chapter 1. About this Book
This book describes the concept of role-based security as it is implemented by openCRX.
What do you need to understand this book
This book assumes a basic knowledge of security-related concepts and terms, including identity, authentication, and authorization. It is also helpful if you are familiar with openCRX accounts and user homepages (UserHomes).
Chapter 2. Prerequisites
The first few chapters of this book deal with concepts only, i.e. there are no prerequisites in terms of installing openCRX. It is helpful to have a basic knowledge of security-related concepts and terms, including identity, authentication, and authorization. With regard to the Real World Example, however, having access to an openCRX installation would obviously be an advantage as you could duplicate the setup and investigate your own tweaks to the security configuration.
Chapter 3. Introduction to role-based security
It is the main goal of the security concept of openCRX to control who is allowed to browse/delete/update which information. On the one hand this requires some infrastructure to manage identity data (e.g. principals, users), authentication data (e.g. passwords, certificates) and authorization data (e.g. permissions, roles), on the other hand the rules defined by the various permissions granted to principals must be enforced to ensure that no principal can take an action without being granted permission to do so. openCRX implements a state-of-the-art role-based security concept which utilizes the concepts of Principals and Roles, similar to the implementation of security in many current operating systems. While role-based security may be overkill in trivial settings (e.g. SOHO with two users who both are allowed to browse/delete/update all objects) it is an extremely powerful tool to get a handle on complex environments (e.g. ASP managing tens of thousands of customers/companies). Apart from these two extreme settings (SOHO, ASP), role-based security is also very useful in many typical company settings where various sales teams, customer service teams, and maybe accounting teams need to browse/delete/update customer-related data (e.g. sales orders, invoices, payments, support requests) while at the same time permissions on such data may vary depending on the function of the employee (imagine what would happen if accounting staff could enter/change sales orders or a customer service rep could alter customer payments).
The following explanations are hopefully helpful to understand the role-based security concept as it is implemented by openCRX. Please be aware that the goal of this documentation is to explain the concepts used in openCRX - if you are interested in details and the formally correct and complete specifications you should refer to the openCRX UML models.
The following figure shows the main ingredients of role-based security:
At the core of role-based security is the concept of collecting Permissions in Roles, which can be granted to Principals (a Principal corresponds to a Login). For example, imagine a Principal admin-Standard who is granted the Role OpenCrxAdministrator which comes with all the Permissions required for a segment administrator to do his work, or a Principal salesrep1 who is granted the Role SalesRep which comes with all the Permissions required for a sales representative to do his work. For better manageability several Principals can be collected in a PrincipalGroup and Roles can be directly attached to PrincipalGroups.
Users (e.g. human beings like Joe, Mary, Jeff) can be assigned multiple Principals to reflect the fact that some users connect to the system in different roles depending on the tasks at hand. For example, User joe might be assigned the Principal head-Sales (because Joe is head of sales) as well as the Principal admin-Standard (because Joe is also segment administrator). If Joe wants to work as segment administrator he logs in as Principal admin-Standard, if Joe wants to work as head of sales he logs in as Principal head-Sales. Credentials (like passwords, certificates, SecurIDs) are attached to Users. Like this it is possible to let Joe connect to the system with the same password, regardless of whether he acts as segment administrator or head of accounting. For better manageability several Users can be collected in a UserGroup. The term Subject is commonly used to refer to Users and UserGroups.
In addition to this standard setup of role-based security openCRX allows you to relate Users to Contacts. Furthermore, each Principal is related (automatically) to an openCRX UserHome (this is how openCRX can easily maintain two different histories for Principal admin-Standard and Principal head-Sales; one history keeps track of Joe's actions when he is logged in as segment administrator, the other history keeps track of his actions when he is logged in as head of sales). These openCRX extensions to role-based security are shown in the following figure:
Please note that the above figure represents a high-level view of the implemented security concept - refer to the openCRX UML models for detailed and formally correct and complete specifications.
Chapter 4. Permissions
With the openCRX security framework permissions can be granted with the following two methods:
Ownership Permissions: Permissions are granted on a particular object based on ownership (ownership access control has been implemented since openCRX v1.4.0). For example, permission to browse the account "Steve Jones" is granted to everybody or permission to delete the product "Gadget" is granted to the segment administrator only. Object permissions work similar to file permissions in a file system.
Model Permissions: Permissions are granted on model elements (will be implemented in a future version of openCRX). For example, permission is granted to execute the operation Refresh on the UserHome or permission is granted to view the Tab Leads, etc.
Ownership Permissions
Ownership permissions are used to control browse/delete/update access to openCRX objects by Users and UserGroups. Ownership access control has been implemented since openCRX v1.4.0. Every openCRX object is a SecureObject. The following figure shows an extract from the UML model (if you are interested in all the details and the formally correct and complete specifications you should refer to the openCRX UML models):
The most important security attributes of an object X are discussed below (and an example is shown in Figure 4-2):
Owning User: this user "owns" object X; the Owning User can always browse/delete/update object X (unless the access level is set to 0 [no access]).
Owning Groups: these groups might enjoy privileged treatment for browsing/deleting/updating object X depending on the relevant access level settings.
Browse Access Level: this setting determines which users / user groups are granted browse access to direct composite objects of object X [i.e. can view/inspect direct composite objects (including all their attributes) of object X].
Delete Access Level: this setting determines which users / user groups are granted delete access to object X and all its composite objects (recursively!) [i.e. can delete object X and all its composite objects (recursively!)].
Update Access Level: this setting determines which users / user groups are granted update access to object X [i.e. can change object X; this includes adding composite objects to object X].
The following access levels are available to control which users / user groups are granted permission to browse/delete/update a particular object X:
0 - N/A: no access.
1 - private: access is granted if the user is owning user of object X.
2 - basic: access is granted if (a) the user is owning user of object X, or if (b) the user is member of any of the owning groups of object X, or if (c) any of the owning groups of object X is a subgroup** of any group the user is member of.
3 - deep: access is granted if (a) the user is owning user of object X, or if (b) the user is member of any of the owning groups of object X, or if (c) any of the owning groups of object X is a subgroup** of any group the user is member of, or if (d) any of the owning groups of object X is a subgroup** of any supergroup* of any group the user is member of.
4 - global: all users are granted access.
* a supergroup of an owning group G is a group of which G is a member of (recursively)
** a subgroup of an owning group G is a group which is member of G (recursively)
Security Setting of New Objects
New objects are by default created with the following security settings:
Owning User: User who is creating the object
Browse Access Level: 3 - deep
Delete Level: 2 - basic
Update Access Level: 2 - basic
Owning Groups: Primary User Group of the user who is creating the object and (meaning as well as) Owning Group(s) of the parent object of the new object
Please note that the User Group Users (e.g. Standard\\Users) is not added to the list of Owning Groups of newly created top-level objects (i.e. objects attached to a segment, even if Users is an Owning Group of the segment)
Please note that a users's Primary user group is set by the segment administrator with the operation Create User. To change an existing user's primary group, the segment administrator simply executes the operation Create User again with a new parameter for primary user group.
In the context of activity management there are various operations that set/change the Owning Groups of objects based on the settings of an assigned Activity Tracker and not based on the settings of the user who executes the operation.
If you see N/P in a field instead of a more meaningful value you probably do not have browse access to the respective object (N/P stands for No Permission).
Security Example
In this chapter we discuss security for an example security organization (see Figure 4-3) and then show what individual users are allowed to do on example data (see Figure 4-4). Please note that this example security organization has educational value but it is not well suited for the real world. See chapter Real World Example for a more realistic setup.
The example organization consists of 4 User Groups (Administrators, Users, Unspecified, and Unassigned) and 1 User (admin-Standard) created by openCRX. In addition, there are 5 User Groups (Sales, SalesTeamA, SalesTeamB, Accounting, and AccountingTeamA) and 8 Users (head-Sales, salesrep1, salesrep2, salesrep3, salesrep4, head-Accounting, accountant1, accountant2) created by the segment administrator:
The above chart reads as follows (just to give a few examples, i.e. many more statements could be made about the above chart):
UserGroup SalesTeamA is a subgroup of UserGroup Sales
UserGroup SalesTeamB is a subgroup of UserGroup Sales
UserGroup AccountingTeamA is a subgroup of UserGroup Accounting
UserGroups Sales, SalesTeamA, SalesTeamB, Accounting, and AccountingTeamA are subgroups of UserGroup Users
UserGroup Users is a supergroup of UserGroups SalesTeamA (UserGroup Users is also a supergroup of UserGroups Sales, SalesTeamB, Accounting, and AccountingTeamA)
UserGroup Unspecified is a supergroup of all other UserGroups
User admin-Standard is a member of UserGroup Administrators
Users salesrep1 and salesrep2 are both members of UserGroup SalesTeamA
Role OpenCrxUser is assigned to UserGroup Users
Role OpenCrxAdministrator is assigned to UserGroup Administrators
User admin-Standard has all the permissions of the Role OpenCrxAdministrator (because this User is a member of the UserGroup Administrators)
.
The example data consists of 6 openCRX objects (S, X, Xa, Xb, Y, and Ya):
If you, for example, look at object Xa the following security attributes are set:
Owning User: object Xa is owned by the User salesrep1
Owning Groups: object Xa is owned by the UserGroup SalesTeamA
Browse Access Level is set to deep
Delete Access Level is set to basic
Update Access Level is set to basic
Similarly, Figure 4-4 contains information about the security attributes of all the other openCRX objects.
Next, we will analyze for a few of the example users which objects they are able to browse to, which objects they are allowed to delete, and which objects they have permission to update. The whole discussion is based on the security organization as it was presented in Figure 4-3. Let's start with the user admin-Standard. On the following chart, green indicates that access is granted, red indicates that access is not granted:
Please note that the user admin-Standard is granted permission to delete object S; due to the definition of the delete access level, deleting object S will also delete its composite objects (recursively!), i.e. admin-Standard can actually delete all objects by deleting object S! It is not possible, however, that user admin-Standard navigates to - for example - object Xb and then deletes object Xb as delete access is not granted on object Xb (even though browse level access to object Xb is granted).
Let's now look at the user head-Sales. On the following chart, green indicates that access is granted, red indicates that access is not granted:
Please note that the user head-Sales is granted permission to delete objects X and Y; due to the definition of the delete access level deleting object X will also delete its composite objects (recursively!), i.e. head-Sales can actually delete object Xb by deleting object X! Similarly, head-Sales can delete object Ya by deleting object Y. It is not possible, however, that user head-Sales navigates to - for example - object Xb and then deletes object Xb as delete access is not granted on object Xb (even though browsing to object Xb is possible).
On the following chart, green indicates that access is granted to the user salesrep1, red indicates that access is not granted to salesrep1:
Please note that the user salesrep1 is granted permission to delete object X; due to the definition of the delete access level deleting object X will also delete all its composite objects (recursively!), i.e. salesrep1 can actually delete object Xb by deleting object X! It is not possible, however, that user salesrep1 navigates to - for example - object Xb and then deletes object Xb as delete access is not granted on object Xb (even though browsing to object Xb is possible).
On the following chart, green indicates that access is granted to the user salesrep2, red indicates that access is not granted to salesrep2:
On the following chart, green indicates that access is granted to the user salesrep2, red indicates that access is not granted to salesrep2:
On the following chart, green indicates that access is granted to the user salesrep2, red indicates that access is not granted to salesrep2:
Please note that the user salesrep4 is granted permission to delete object Y; due to the definition of the delete access level deleting object Y will also delete all its composite objects (recursively!), i.e. salesrep4 can actually delete object Ya by deleting object Y! It is not possible, however, that user salesrep4 navigates to - for example - object Ya and then deletes object Ya as delete access is not granted on object Ya (even though browsing to object Ya is possible).
The following figure shows access permissions of the users head-Accounting, accountant1, and accountant2. Green indicates that access is granted, red indicates that access is not granted:
Chapter 5. Real World Example
This example is built around a small company with several departments. We first configure a basic security setup around the organizational structure of the company following some common sense rules. Later on we will look at a few improvements of the security configuration to implement more advanced access rules. The structure of this chapter is as follows:
Sample Organization
This example is built around a small company structured as shown in the following organizational chart:
The sales department (Sales) features a head of sales (head-sales) and 2 sales teams (SalesTeamA and SalesTeamB). Each sales team consists of 2 sales reps (e.g. SalesTeamA consists of sales-repA1 and sales-repA2). Similarly, there is an accounting department (Accounting) with a head of accounting (head-accounting) and an accountant who is the only member of the team AccountingTeam.The structure of the production department is identical to the structure of the accounting department. The company has a board (Board) with three members: ceo, cfo, and coo.
Please note that the above organizational chart does not contain any security-related information, i.e. it does not tell us anything about permissions and such - an org chart is an org chart and nothing more when it comes to security (even though it is probably not wrong to assume that sales-repA1 should not be allowed to see any objects owned by the ceo unless the ceo has granted such permission explicitly). Before we get started with setting up security let us make a few assumptions about the desired "default security settings" of this organization (please note that the following "rules" really are assumptions, i.e. there is nothing in openCRX that would force you to adopt such rules; we just need a set of rules for the sake of this example enabling us to show how security-related rules can be implemented.):
every board member should be granted permission to access any object (browse/delete/update), including those created by any other board member, i.e. ceo, cfo, and coo have full access (browse/delete/update) to all objects
SalesTeamA and SalesTeamB do not co-operate (i.e. objects created by a member of SalesTeamA cannot be accessed by members of SalesTeamB and objects created by a member of SalesTeamB cannot be accessed by members of SalesTeamA)
department heads have full access (browse/delete/update) to any object created by a member of their department (e.g. head-sales has browse/delete/update access to all objects created by sales-repA1)
there are "Chinese walls" between departments, i.e. objects created by a particular department are not accessible (browse/delete/update) by any other department (e.g. objects created by the sales department cannot be accessed by neither the accounting department nor the production department
users are never automatically granted access (browse/delete/update) to objects created by users on a higher organizational hierarchy (e.g. sales-repB2 is not granted access (browse/delete/udpate) to objects created by head-sales or board members like the cfo)
all members of a particular organizational unit should have the same permissions (e.g. sales-repA1 should have the same permissions as sales-repA2, but permission of sales-repB1 may very well differ from those of sales-repA1)
Users and User Groups
Let us now move on to setting up a flexible security organization that allows us to handle/implement all of the above-mentioned rules. The following figure shows the 12 User Groups (blue box white font, e.g. Company, Board, Sales, SalesManagers, etc.) we are going to create. It also shows how we are going to assign Primary user groups to the 12 Users (blue font, e.g. ceo, cfo, coo, head-sales, etc.) we are going to create:
User ceo has User Group Board as Primary user group
User cfo has User Group Board as Primary user group
User coo has User Group Board as Primary user group
User head-sales has User Group SalesManagers as Primary user group
User sales-repA1 has User Group SalesTeamA as Primary user group
and so on
Please note that the approach demonstrated in this example is not the only one possible. This security organization is not optimized in any way as we want the reader to follow our line of thought. Furthermore, it is advisable to get security issues right before you start thinking about optimizations.
The proposed security organization does not cover/include the User admin-Standard, i.e. this User will not have any access to objects created by any of the 12 Users on the above security organization.
Creating Principals
Connect to the root provider and login as admin-Root. Create the Principal ceo with the following steps:
navigate to the Security Realm Default
use the creator menu to create a new Principal
enter ceo into the field Qualifier (leave the other attributes unchanged) and then click the button [Save] to create this new Principal
navigate to the Principal ceo (for example by clicking on the operation result)
in the grid Member of Principal Groups click on the lookup icon to start the lookup inspector and then locate the Principal Group Users (click the appropriate check box to select Users and return to the grid)
click on the button [+] to add the Principal Group Users (this makes the Principal ceo a member of the Principal Group Users)
If you inspect your newly created Principal ceo you should now see the following:
Two important issues to verify are:
the identity of the Principal ceo is xri:@openmdx:org.openmdx.security.realm1/provider/CRX/segment/Root/realm/Default/principal/ceo
Principal ceo is member of the Principal Group Users
Please note that the values of the attributes User and Primary User Group will be assigned later (by executing the operation Create User).
Now you can create the following Principals with the same steps (i.e. do not forget to make every Principal member of the Principal Group Users:
cfo
coo
head-sales
head-accounting
head-production
sales-repA1
sales-repA2
sales-repB1
sales-repB2
accountant
worker
You have successfully created all the principals shown in Figure 5-2.
Creating Contacts
Connect to the standard provider and login as admin-Standard. Use the provider Accounts to create the following 12 Contacts, i.e. one Contact for each User:
ceo
cfo
coo
head-sales
head-accounting
head-production
sales-repA1
sales-repA2
sales-repB1
sales-repB2
accountant
worker
To keep it simple, we only entered values into the field Last Name (e.g. the Contact ceo has the last name ceo) as shown in the following figure:
Creating Local User Groups
Next we use the provider Security Users / Groups to create several Local User Groups (see also Figure 5-2 for an overview of the User Groups). It is sufficient to enter a reasonable value into the field Description; we typically enter the provider followed by the name, e.g. Standard\\Board or Standard\\Company, but feel free to develop/follow your own pattern. Create the following Local User Groups:
Standard\\Board
Standard\\Company
Standard\\Accounting
Standard\\AccountingManagers
Standard\\AccountingTeam
Standard\\Production
Standard\\ProductionManagers
Standard\\ProductionTeam
Standard\\Sales
Standard\\SalesManagers
Standard\\SalesTeamA
Standard\\SalesTeamB
The following figure shows the grid Users / User Groups containing the newly created Local User Groups corresponding to Figure 5-2:
Creating Users
Next we navigate to the provider User Homepages and use the Operation Actions | Create User. to create Users. The operation Create User allows us to set the following attributes:
User id
Realm name (use Default for our example)
Principal name (in our example the Principal name always matches the User id)
Contact (use the lookup inspector to point to the matching Contact)
Primary user group (use the lookup inspector to point to the desired User Group)
Initial password (in our example we use "*" (without the quotes) as our password)
Password again (repeat the password)
The steps to create the User ceo are as follows:
execute the operation Actions | Create User. and enter the following parameter values
User id: ceo
Realm name: Default
Principal name: ceo
Contact: use the lookup inspector to select the Contact ceo
Primary user group: use the lookup inspector to locate the User Group Standard\\Board
Initial password: *
Password again: *
click on the button [OK] to create the User
The figure below shows the operation parameter panel just before clicking the button [OK]:
In addition to the User ceo you also need to create 12 Users (in parenthesis you will find the Primary Owning Group you need to assign to the respective User); the Realm name is Default for all Users. You also need to use the lookup inspector to select the matching Contact):
cfo (Standard\\Board)
coo (Standard\\Board)
head-sales (Standard\\SalesManagers)
head-accounting (Standard\\AccountingManagers)
head-production (Standard\\ProductionManagers)
sales-repA1 (Standard\\SalesTeamA)
sales-repA2 (Standard\\SalesTeamA)
sales-repB1 (Standard\\SalesTeamB)
sales-repB2 (Standard\\SalesTeamB)
accountant (Standard\\AccountingTeam)
worker (Standard\\ProductionTeam)
The following figure shows the grid Users / User Groups containing the newly created Users:
Back in the root provider (login as admin-Root) you can now inspect the previously created Principals and verify that the operation Create User indeed properly updated the fields User and Primary User Group. For example, if you inspect the Principal ceo you should now see the following:
Two important issues to verify are:
the User of the Principal ceo is equal to Standard\\ceo,
the Primary User Group of the Principal ceo is equal to Standard\\Board
Assigning Group Memberships
Finally, we need to assign Users to the appropriate User Groups. The following table shows for each User (left-most column) which User Group (top column) she/he is member of (the acronym PUG stands for Primary User Group; the "PUG membership" is defined at the time the User is created with the operation Create User - the same operation can be used to change the Primary User Group of a User):
To add a particular User to a User Group, navigate to the provider Security Users / Groups, locate the respective User in the grid (e.g. Standard\\ceo) and load it into the inspector. Now you can use the lookup inspector of the grid Member of User Groups to locate the desired User Group and click on the respective checkbox. Back in the grid you can use the [+] button to add the User Group to the grid.
You can add User Groups very efficiently if you keep one browser window open showing the list of User Groups and another browser window to inspect the User (also showing the grid Member of Users Groups). To add a User Group to the grid Member of User Groups copy the URL of the icon of the User Group to be added to the input field of the grid Member of User Groups (you can copy the URL of an icon as follows: right-click on the icon and then select "Copy Shortcut" (IE) or "Copy Link Location" (Firefox) from the context menu to copy the URL into the clipboard; next you paste the URL into the input field). Finally, you click the [+] button.
The following figure shows the User ceo with all the User Groups she/he is member of (the list must correspond to the row ceo of the matrix in Figure 5-9):
Work yourself through the matrix Figure 5-9, i.e. for each User add the checked User Groups to the User's grid Member of User Groups.This completes the setup of the security structure as outline in Figure 5-2 and defined by the rules we assumed at the beginning of this example.
Objects created by ceo
Login as User ceo and create a Contact. Navigate to the newly created contact and have a look at the security settings as shown in the figure below:
The security settings of the newly created Contact are in line with the rules given in Security Setting of New Objects:
Owning User: Standard\\ceo (because the Contact was created by the User ceo)
Browse access level: [3] deep (default browse access level)
Delete access level: [2] basic (default delete access level)
Update access level: [2] basic (default update access level)
Owning Groups: Standard\\Board (because Standard\\Board is the Primary User Group of the User ceo who created this Contact)
You can easily verify that the User ceo has full access (browse/delete/update) to this object.
Let us now verify what the situation is like for other Users. To do so, you need to start a new browser and login - for example - as User cfo. As you will find out, the User cfo also has full access (browse/delete/update) to this Contact. We would not expect it to be any different because that is how we configured our security setup. The following table shows the permissions granted to each User:
This corresponds exactly with our intentions as formulated in the section Sample Organization
Grant full access to Sales
Let us now assume that the User ceo decided to grant the sales department full access (browse/delete/update) to this Contact. This is achieved by adding the User Group Standard\\Sales to the list of Owning Groups of the Contact:
You can easily verify that after this change the following Users have full access (browse/delete/update) to this object: ceo, cfo, coo, head-sales, sales-repA1, sales-repA2, sales-repB1, sales-repB2. The remaining users do not have permission to browse/delete/update this Contact.
See Selective Readonly Sharing for information on how to share objects on a readonly basis.
Make Contact Private
Let us now assume that the User ceo decided to keep this Contact private, i.e. nobody else is granted access. This is achieved by removing all User Groups from to the list of Owning Groups of the Contact:
You can easily verify that, with the exception of the User ceo, no other User has permission to browse/delete/update the Contact.
Objects created by sales-repA1
Login as User sales-repA1 and create a Contact. Navigate to the newly created contact and have a look at the security settings as shown in the figure below:
The security settings of the newly created Contact are in line with the rules given in Security Setting of New Objects:
Owning User: Standard\\sales-repA1 (because the Contact was created by the User sales-repA1)
Browse access level: [3] deep (default browse access level)
Delete access level: [2] basic (default delete access level)
Update access level: [2] basic (default update access level)
Owning Groups: Standard\\SalesTeamA (because Standard\\SalesTeamA is the Primary User Group of the User sales-repA1 who created this Contact)
You can easily verify that the User sales-repA1 has full access (browse/delete/update) to this object.
Let us now verify what the situation is like for other Users. To do so, you need to start a new browser and login - for example - as User ceo. As you will find out, the User ceo also has full access (browse/delete/update) to this Contact. Similarly, full access (browse/delete/update) is granted to the other board members and the 2 Users head-sales and sales-repA2. Members of the User Group SalesTeamB are not granted access. Furthermore, our "Chinese walls" are firmly in place: User of the departments production and accounting are not granted access either. We would not expect it to be any different because that is how we configured our security setup. The following table shows the permissions granted for each User:
This corresponds exactly with our intentions as formulated in the section Sample Organization
Grant full access to Sales
Let us now assume that the User sales-repA1 decided to grant the sales department full access (browse/delete/update) to this Contact. This is achieved by adding the User Group Standard\\Sales to the list of Owning Groups of the Contact:
You can easily verify that after this change the two Users sales-repB1 and sales-repB2 are also granted full access (browse/delete/update) to this Contact.
Selective Readonly Sharing
Instead of granting mutual full access, one could also imagine a regime where sales teams co-operate on a more selective basis by making some information available to the other sales team on a readonly basis. Hence, let us now assume that in addition to our original assumptions (see Sample Organization) the two sales teams SalesTeamA and SalesTeamB should have the possibility of easily sharing information on a readonly basis, i.e.
members of SalesTeamB have no permission to access (browse/delete/update) any object created by a member of SalesTeamA (existing rule)
members of SalesTeamA have no permission to access (browse/delete/update) any object created by a member of SalesTeamB (existing rule)
new rule: but there should be a (simple) way of making objects created by a member of particular sales team available to the other sales team on a readonly basis (i.e. browse access only)
This feature request can easily be implemented with openCRX by adding two new User Groups Sales-super and Sales-readonly and then making the two User Groups Sales and Sales-readonly members of the new User Group Sales-super. The following figure shows the new security organization:
To implement this change, login as admin-Standard and navigate to the provider Security Users / Groups. Create a new Local User Group Sales-super (enter Standard\\Sales-super into the field Description). Next you create a new Local User Group Sales-readonly (enter Standard\\Sales-readonly into the field Description) and load it into the inspector. In the grid Member of User Groups you can use the lookup inspector (click on the looking glass) to locate the Local User Group Sales-super. Click the checkbox to return to the grid and then click the [+] button to add Standard\\Sales. You should now see the following:
Similarly, you also need to make the User Group Sales a member of the User Group Sales-super.
To verify the new security configuration, logout and login as sales-repA1 to create a new Contact. The default security settings of this new Contact should correspond to the ones in the following figure:
Neither sales-repB1 nor sales-repB2 have access to this Contact, while sales-repA2 has full access (browse/delete/update).
Let us now try to share this contact with the SalesTeamB. Logout and login as sales-repA1 and navigate to the Contact you want to share. Click on the Tab [^] to see the Owning Groups. Use the lookup inspector to navigate to the User Group Standard\\Sales-readonly. Click on the checkbox to return to the grid and then click the button [+] to add the User Group to the list of Owning Groups. The security settings should correspond to the ones in the following figure:
You can easily verify that in addition to the Users ceo, cfo, coo, head-sales, sales-repA1, and sales-repA2 being granted full access (browse/delete/update), the two Users sales-repB1 and sales-repB2 are now granted browse access (but delete/update access is not granted). This is exactly what we wanted to achieve.
The following matrix summarizes permissions on the Contact created by sales-repA1 if the User Group Standard\\Sales-readonly is added to the list of Owning Groups:
To revoke browse access for SalesTeamB you simply remove Standard\\Sales-readonly from the Contact's list of Owning Groups.
One last twist: to remove delete/update access for sales-repA2 you could remove Standard\\SalesTeamA from the Contact's list of Owning Groups. This reduces permissions of the User sales-repA2 to browse access only; sales-repA1 is now the only sales rep which delete/update access.
Co-operating Sales Teams
Let us now assume that at some point in time it is decided that in contrast to our original assumptions (see Sample Organization) the two sales teams SalesTeamA and SalesTeamB should be fully co-operating, i.e.
members of SalesTeamB are automatically granted full access (browse/delete/update) to any object created by a member of SalesTeamA, and
members of SalesTeamA are automatically granted full access (browse/delete/update) to any object created by a member of SalesTeamB
This change is easily accommodated with openCRX by making both User Groups SalesTeamA and SalesTeamB members of the User Group Sales. The following figure shows the new security organization:
To implement this change, login as admin-Standard and navigate to the provider Security Users / Groups. Locate the Local User Group SalesTeamA and load it into the inspector. In the grid Member of User Groups you can use the lookup inspector (click on the looking glass) to locate the Local User Group Sales. Click the checkbox to return to the grid and then click the [+] button to add Standard\\Sales. You should now see the following:
Similarly, make the User Group SalesTeamB a member of the User Group Sales.
To verify the new security configuration, logout and login as sales-repA1 to create a new Contact. The default security settings should correspond to the ones in the following figure:
You can easily verify that not only the Users ceo, cfo, coo, head-sales, sales-repA1, and sales-repA2 are granted full access (browse/delete/update), but the two Users sales-repB1 and sales-repB2 are also granted full access (browse/delete/update) to this Contact even though the User Group Standard\\Sales (or Standard\\SalesTeamB) was not explicitly added to the list of Owning Groups of the Contact (this is what we did in section Grant full access to Sales to grant access to the other sales team).
The following matrix summarizes permissions on the Contact created by sales-repA1:
Bibliography
