Multilayer access right hierarchy


Besides user access rights that determine e.g. who shall see which data, who can create, update or delete them, ObjectGears distinguishes two layers of administrator access rights. Let`s take a look what is this hierarchical structure good for.

ObjectGears access management hierarchy begins on the level of server that hosts ObjectGears. This setting is performed outside ObjectGears. Therefore, let`s consider it the zeroth level in our hierarchy. Server administrator performs fundamental system configuration by means of the web.config file. This includes e.g. user authentication and authorization modes, enabling user creation, default language, enabling web services or mass operations. However, from the access rights hierarchy the most important is determination of accounts that will be granted ObjectGears administrator role.

ObjectGears adminstrators represent the first level of access rights in ObjectGears. They perform settings on level of the whole ObjectGears instance, they create jobs or roles. If integration with MS Active Directory is not used, they create users and assign them roles. From the perspective of access rights structure their most important activity consists in set up of models and definition of IT owners of particular models. In this way ObjectGears instance is divided into particular applications that might be isolated one from another or more or less integrated.

Model IT owners (application designers) represent the second level of access rights. They create particular objects (tables for records, organizational structures, reports, workflow, rules, notifications etc.). They also set up access rights to these objects for particular roles.

Access rights assigned to a role represents the third level of access rights in ObjectGears. On this level we take care of assigning particular necessary access rights on data reading or data writing, report execution etc. to a role that the user was either granted by ObjectGears administrator or that the user gets by means of membership in a certain MS Active Directory group.

This hierarchy eliminates weakness of systems that are characterized by too strong access rights and where users get access also to operations that they do not need. Such systems are associated with risk of deliberate or unwanted data damage, sensitive data leak etc. We do not speak only about users but also about application administrators and developers. Application administrators and developers usually have a full access to the application. This is not the case of ObjectGears. They are granted only with access to models that they support and they cannot work with applications that are administered by somebody else. Neither ObjectGears administrator nor model IT owner have to have access to the data themselves. If it is necessary they can be granted a temporary access but later on it can be withdrawn again without limiting them in other tasks they should perform. This ensures data protection and entrusting data to business users.