Hi All,
In this post, i'll brief about levels of restricting object definition when opened from Application designer, also very critical loophole of implementing this in projects.
Using definition groups to restrict access to objects :
1) A user gets access to objects from primary permission list added to his profile, not through roles .Definition groups are added to primary permission lists.
2) Create a definition group, add to it the objects that you want a developer/user to access.
3)Add this definition group to that user's primary permission list. A precaution to take here is, if the same primary permission list is given to another user, he gets access to those objects as well.
4) If you want to give read only access on the objects included in a definition group only access.If you want a developer not to have access to any object, just dont include it in definition group added to his primary permission list.
The best approach is to categorize the objects as per the modules on which developers would be working.Then create individual def groups and add respective category of objects to the definition groups.And attach one or more to primary permission lists of users you want to have access on those objects.
Approach in production databases:
Since in production databases, no one except admins need to have write access on objects, you can limit every user to have display only access on objects. For this, simply create a definition group, add all objects to that .Then in the permission lists of admins and normal users, add this definition group , only difference being while adding it to the primary permission list of normal users, have display only checked.
Major Limitation :
If you read in peoplebooks, there are 3 rules using which definition access is determined for any user.
The first among that is, if any object is not added to any definition group then every user in the application has full access to it !!!!
the point is, if a new object is created in any environment, by default its not added to any def group and everyone gets access to it untill you manually add it to a definition group atleast ...not a feasible option !!
Therefore definition security through def groups servers no purpose in prod databases ... have you applied this mechanism in your databases ???
Read my post on securing definition by limiting user access on definition types instead of def names ...
In this post, i'll brief about levels of restricting object definition when opened from Application designer, also very critical loophole of implementing this in projects.
Using definition groups to restrict access to objects :
1) A user gets access to objects from primary permission list added to his profile, not through roles .Definition groups are added to primary permission lists.
2) Create a definition group, add to it the objects that you want a developer/user to access.
3)Add this definition group to that user's primary permission list. A precaution to take here is, if the same primary permission list is given to another user, he gets access to those objects as well.
4) If you want to give read only access on the objects included in a definition group only access.If you want a developer not to have access to any object, just dont include it in definition group added to his primary permission list.
The best approach is to categorize the objects as per the modules on which developers would be working.Then create individual def groups and add respective category of objects to the definition groups.And attach one or more to primary permission lists of users you want to have access on those objects.
Approach in production databases:
Since in production databases, no one except admins need to have write access on objects, you can limit every user to have display only access on objects. For this, simply create a definition group, add all objects to that .Then in the permission lists of admins and normal users, add this definition group , only difference being while adding it to the primary permission list of normal users, have display only checked.
Major Limitation :
If you read in peoplebooks, there are 3 rules using which definition access is determined for any user.
The first among that is, if any object is not added to any definition group then every user in the application has full access to it !!!!
the point is, if a new object is created in any environment, by default its not added to any def group and everyone gets access to it untill you manually add it to a definition group atleast ...not a feasible option !!
Therefore definition security through def groups servers no purpose in prod databases ... have you applied this mechanism in your databases ???
Read my post on securing definition by limiting user access on definition types instead of def names ...
No comments:
Post a Comment