There are four permissions levels available in Qdabra’s Database Accelerator: DBXL Admin, Global Level, Document Type Level and Document Level. This document will provide you with an overview of these four alternatives.
DBXL Admin Permissions
DBXL Admin Permissions are initially defined when DBXL is being installed, though you can modify them later by editing web.config. During the installation we can grant admin permissions to a group or user by filling out the DBXL Admin field, as seen in Figure 1.
Members of the DBXL Admin security group can manage licenses, add document types and manage access permissions to DBXL document types. By default the DBXL Admin Permissions will be set to BUILTIN\Administrators.
Figure 1
Modifying DBXL Admin Permissions in web.config
After installation, DBXL Admin Permissions can be modified by editing the value for the DbxlAdminAlias key in web.config, located in C:\Inetpub\wwwroot\QdabraWebService for default installations of DBXL. This is shown in Figure 2.
Figure 2
Global Level Permissions
Global Level Permissions are also initially defined during installation. By default these are active, as indicated by the checked Set Global User Permissions checkbox.
The groups or users who are set at the Global Level will have access to all the document type configurations and all the documents. By default, the BUILTIN\Administrators group will be granted Global Level Admin Permissions, as seen in Figure 3, while the Writer and Reader groups are blank.
Figure 3
There are three sets of permissions that can be set at the Global Level:
- Admin: The members of this group have access to view and edit the Document Type Configurations as well as being able to view and edit all documents.
- Writer: The members of this group can view and edit all documents, but they do not have access to view or edit the Document Type Configurations.
- Reader: The members of this group are only allowed to view all documents. They do not have access to edit the documents and also do not have access to view or edit the Document Type Configurations.
Disabling Global Permissions
Checking the Set Global User Permissions checkbox gives users with global permission access to perform admin operations across all documents and document types.
During installation you have the option of disabling these global permissions by clearing the Set Global User Permissions checkbox, which will result in restricting DBXL access to DBXL Admins. For this reason, disabling global permissions does not make DBXL “wide-open”. On the contrary, it makes access DBXL more restrictive.
To illustrate this, let’s look at two examples. In Figure 4, below, only members of the BUILTIN\Administrators group will be able to successfully interact with DBXL because we have disabled global permissions. Meanwhile, in Figure 5, members of Qdabra\Developers are elevated to have the same permissions as BUILTIN\Administrators.
Figure 4
Figure 5
Modifying Global Level Permissions in web.config
After installation, Global Level Permissions can be modified by editing the value for the ReaderGroupAlias, WriterGroupAlias and AdminGroupAlias keys in web.config, located in C:\Inetpub\wwwroot\QdabraWebService for default installations of DBXL. Users are also able to turn off Global Level Permissions by switching the value of the CheckUserPermissions key from true to false.
The relevant section of web.config is shown in Figure 6.
Figure 6
Document Type Level Permissions
Document Type level permissions are granted in the Permissions tab of DAT. First note that the Enforce Permissions checkbox must be checked for the permissions in this tab to be enforced. You are able to enter as many users or groups as desired, by clicking the Insert document type level permissions link. Clicking this link will insert a new row where you will need to enter a name (an identifier of your choosing) and the user or group (Role Name). Then, for each of these rows, you will be able to grant the following permissions: Add, Read, Write, L-Read, L-Write, Del and Admin.
An example is shown in Figure 7, where the managers group has Admin permissions over the Document Type, while the Readers group only has Read access.
Figure 7
Notes:
- Checking the Admin checkbox will check the other six checkboxes.
- Checking the Write checkbox will check the Read and L-Write checkboxes.
- L-Read Permissions are not currently in use and are reserved for future use.
- Only one user or group can be added per row. Do not insert lists separated by commas, semicolons or other delimiters.
Document Level Permissions
Document Level permissions are also established in the Permissions tab of DAT. As with Document Type Level Permissions, the Enforce Permissions checkbox must be checked for the permissions in this tab to be enforced. You are able to enter as many users or groups as desired, by clicking the Insert document level permissions link. Clicking think link will insert a new row where you will need to enter a name (an identifier of your choosing) and the xpath where the document stores the role information. Then, for each of these rows, you will be able to grant the following permissions: Read, Write, L-Read, L-Write and Del.
An example is shown in Figure 8. In the form, a field will contain the user alias of the approver, who will in turn be granted permission to read, write, lock and delete. Meanwhile, the Auditor will only be granted read access. Of course, this assumes that you have designed your form such that it contains these two pieces of information. This allows for fine grained control, as well as dynamic permissions, for instance, allowing the Approver to change the Auditor responsible for the document.
Figure 8
Notes:
- Checking the Write checkbox will check the Read and L-Write checkboxes.
- L-Read Permissions are not currently in use and are reserved for future use.
- Only one user or group can be added per row. Do not insert lists separated by commas, semicolons or other delimiters.
- If you modify Document Level Permissions after creating documents, you must reshred the documents in order to apply the new permissions to the previously-existing documents.