Tags:
create new tag
view all tags

Access Control List - Processes

This process allows you to assign security to the processes in your applications.


Overview:

This process allows you to assign security (the 'Access Control List' or ACL) to the processes in your applications. This is the 'Access Control List - Processes' option on the 'Security' tab of the RBS menu.

You assign security by the parent/child combination, ie, you can allow 'Customer File Maintenance' to be run from the 'File Maintenance' menu in A/R, but not from anywhere else. You can assign security at the Database, Department, Workgroup, Role and User levels. Settings at lower levels take priority over higher levels, ie, a setting at an individual user level will override the everything else, or a setting at the Role level will override a setting at the Workgroup, Department or Database level.

When a user selects an option, RBS follows these steps to evaluate their access:

  1. If a User belongs to multiple Roles and Multi-Role setting on the configuration file is set to 'Select', then the first time they run a process they will be prompted for the Role they want to use. This Role will be used for the rest of the session.
  2. If this combination of parent/child was previously selected in the session, then the cached ACL is used and no further processing needs to occur.
  3. Otherwise, for the parent/child combination the system checks for an ACL at the User, Role, Workgroup, Department and Database levels. If a setting is undefined or the ACL is not present, then the setting on the next highest level is used.
  4. If no ACL records were found, then RBS checks to see if there is default ACL for the child process (discussed below).
  5. If there isn't a default ACL for the child, then the system defaults from the configuration file are used.
  6. After the above evaluation, RBS checks to see if any ACL settings are still blank, and if so, uses the settings it determined when the parent of the current process was invoked.
  7. Finally, the result of this check is cached so that it doesn't have to be repeated in the current session.
If the 'Combine' option of Multi-Role support is enabled on the configuration menu, then steps 3, 4, and 5 are repeated for each role the user belongs to. The resulting rights will be:
  • If any Role allows a setting (Run, Add, Delete, Chg), then that setting will be allowed.
  • If any Role would allow the user to log on (based on the Inactivity setting), then the user will be allowed to log in.
  • The longest Timeout value of any Role will be used
The process for determining access to a File or Field is similar.

Since the ACL is maintained by a combination of parent and child, and since Appx does not normally maintain this information, RBS has it's own cross reference file of parent and child processes. When you run this process, you will have the opportunity to refresh this cross reference file before using it to assign the ACL.

Description:

When you choose this option, you will be presented with a screen that allows you to enter the Version number of the applications you want to work with. Once you press Enter, the screen will fill in with the applications in that version:

process-xref.png

RBS will try to determine if the application has been changed since last time the internal cross reference file was generated. Those applications will be pre-selected for you. In this example, application AAA has never had the cross reference file generated, and application DMO was changed after the last time the cross reference file was generated.

The applications you select here only affect the generation (or not) of the internal cross reference file. When you begin managing the ACL, you will be working with all the applications in the selected version. The buttons have the following functions:

  • Select All - Selects all the applications (same as using Control+A)
  • Select None - Deselects all applications
  • Regen & Cont - Regenerate the internal cross references file for the selected applications and then continue managing the ACL.
  • Cont w/o Regen - skip the regeneration step and continue with managing the ACL
  • Cancel - Do nothing & return to the menu
If you choose the 'Regen & Cont' option, you will see an 'In Progress' display similar to the following:

process-progress.png

When the regeneration is complete, click 'Continue' and you will be presented with the main window for managing Process ACL:

RBSSetAcl.png

There are 4 main sections to this screen:

  1. Toolbar options to manually add a Parent / Child process pair or use filters to find processes or ACL entries (discussed below)
  2. Navigation Window that shows you where you are in the applications hierarchy. You can click on these entries to return to that point.
  3. Process Window which shows the children of the currently selected process. Initially this shows you the 'Top Level' processes, which are processes that are run from the User record (via start parameters), Live Operations menus (as specified on each application's parameter record), default input processes (as specified in the Data Dictionary), and Direct Process 1 (as specified on the System Parameters record). The contents and title of this window will change as you navigate the application.
  4. ACL Window that shows you the current ACL settings for the row you have selected in the Process Window. The contents and title of this window will change as you select different rows. You can double click any row in this window to change the settings.

Process Window

This is where you choose which parent/child process to manage. The buttons have the following function:

  • Parents - shows the parent process of the currently selected child process. This is useful when a process is called from more than one location. For example, you may have navigated through 'A/R Menu', 'File Maintenance', 'Customers'. The selected row would show 'Customers' and the Parent Type/Description on the right would show 'File Maintenance'. If you click 'Parents', the contents would change to show you every other process that calls the 'Customers' process. For example, it might show 'Customers' as the default input process for the Data Dictionary, the 'File Maintenance' menu, the 'Order Entry' input process, a Direct Process 2 menu, etc.
  • Children - shows all the processes that the currently selected process calls. For example, if you selected DMO MENU in the above display and clicked 'Children', the display would change to show you all the processes that are called by that menu. You can also double click any row to display the children.
  • Back - takes you back one level. This is only active if you have used the 'Children' button.
  • Add Security - Allows you to add an ACL record for the currently selected row (see discussion below).
  • Default Security - Allows you to add a Default ACL record for the currently selected process (see discussion below).
  • Appx Info - Displays the Appx technical info for the currently selected process (see discussion below). This is useful when the description does not give you enough information to identify the process. Also see Process Name/Process Desc toggle next.
  • Process Name/Process Desc - This toggles the display between showing Process Descriptions and the actual Appx Process Name. This can be useful when the descriptions do not give you enough information to identify the process.
  • Top Level - returns you to the initial 'Top Level' display of the applications. This can be useful when you have navigated deeply into the application hierarchy or you have used a filter and you want to start at the top again.

Add Security

This button allows you to add an ACL record for the currently selected Parent/Child row. First you will be prompted for what level of security you want to add (Database, Department, Workgroup, Role, or User), then the following image will be displayed:

process-xref-addacl.png

In this example, we chose 'Role'. On the right the system displays our Security Hierarchy, and we can double click any displayed Role to choose it. Then we set the Run, Add, Change and Delete flags as desired for that Role. If the parent process is a menu, or there is no parent process (eg, USER START), then you must set each flag to Y or N. If the parent process does not meet that requirement, then you can leave the flag blank and it will be inherited from the parent process at runtime. For example, we have a 'File Maintenance' menu that runs 'Customers', and 'Customers' runs another process called 'Shipping Addresses'. When setting up the security for 'File Maintenance' and 'Customers', we must explicitly set each flag, but when setting up the security for 'Customers' and 'Shipping Addresses', we can leave some flags blank, and they will be inherited from the 'File Maintenance' and 'Customers' settings.

The 'Apply to Descendants' flag, if checked, will use the current settings to add an ACL record for every child process. For example, if we were setting the security for the 'A/R Menu' and we checked this flag, then those same settings would be used for every option on the 'A/R menu', as well as any processes those options called.

Default Security

This button allows you to add a default ACL record. The default record is used when RBS cannot find an ACL record at any of the 5 levels (Database, Department, Workgroup, Role and User) for the current Parent/Child. The following image will be displayed:

process-xref-adddefacl.png

The Y/N flags must be filled in. The default security will apply to the child process, so anytime this process is invoked and RBS cannot find security for the combination of some parent and this process, it will check for this default security.

Default security is optional, and if not found, RBS will use the defaults in the Security Configuration.

Appx Info

This will display an information Window for the currently selected process:

process-xref-view-appx-info.png

This can be useful when you have difficulty identifying a process by it's description alone.

Changing/Deleting ACL

To change or delete an existing ACL record, just double click it. You will see the the following display:

process-xref-chgacl.png

You can change any of the flags, subject to the same rules as adding an ACL record. If you check the 'Apply to Descendants' flag, the change will be applied to all the children of the current process, plus their children, etc.

To Delete an ACL record, click the Delete button. It will change to 'Ack Del', click it again to confirm the deletion. If the 'Apply to Descendants' flag is checked, the ACL will be removed from all the children of the current process, plus their children, etc.

Manually Adding a Parent/Child Process Record

There may be circumstances where a parent/child combination does not show up in the Process Window, ie, if a process is invoked directly via ILF instead of via the Optional Child specification. Or, you may have processes the are directly invoked from the command line. You can use this option to add those processes to the Process Window, and then set the ACL in the usual way. When you click this toolbar option, you will see the following:

process-xref-manual.png

Enter the information as required. Parent Types of USER START, DEF INP, APP PARM and SYSPARM do not need a Parent Process name. For processes run from the command line, use Parent Type USER START.

When selecting a manually added parent/child process record, the 'Delete' button will be enabled, which will allow you to delete the record.

Filters

There are 3 filters you can use to help manage the ACLs. The basic filter is selected from the toolbar, and the advanced filters are selected from the basic filter. The filter determines what processes will be listed in the Process Window. From there, you can manage the ACLs in the usual way. When you click the filter icon in the toolbar, you'll see the following image:

process-xref-filter.png

This filter simply allows you to display all processes of a given type, ie, display all the MENU processes.

When the search is complete, the processes will be listed in the Process Window, and you can manage the ACL in the usual way.

Advanced Process

The advanced process filter gives you a more sophisticated way of searching for processes. When you click the 'Adv Process' filter, you'll see the following image:

process-xref-filter-adv.png

Fill in the parameters as desired, and the processes that match the criteria will be displayed in the Process Window. Note that Process Name and Description allow Regular Expressions. For example, you can search for names that begin with a string by prefixing it with "^". The added / changed since dates allow you to find only new processes, or changed processes. The 'All' match means that all criteria must be met, while 'Any' means the process will be listed if any of the criteria are met.

When the search is complete, the processes will be listed in the Process Window, and you can manage the ACL in the usual way.

Advanced ACL

The advanced ACL filter will be shown if you click the 'Advanced ACL' button. You will first be prompted for the ACL type to search for (Database, Department, Workgroup, Role or User). Then the following screen will be shown:

process-xref-filter-adv-acl-new.png

The 'Security Type' will show the type of ACL you selected (Role in this example). You can select a specific Security Type (Database, Department, etc) to search by double clicking it. By default, all Security Types will be searched, in this case it will search all Roles. Fill in the Run, Add, Delete and change allowed flags as desired. A '?' (blank) in the field means you aren't searching on that setting. However, some ACL records might contain a blank in that field and you might want to search for those. In that case, click the 'Value/blank' button beside the field. It will be highlighted to indicate that the system will search for blanks in that field. Click the button again to turn this off. The 'All' match means that all criteria must be met, while 'Any' means the process will be listed if any of the criteria are met.

When the search is complete, the processes will be listed in the Process Window, and you can manage the ACL in the usual way.

Comments:

Read what other users have said about this page or add your own comments.


-- JeanNeron - 2012-11-05

Topic attachments
I Attachment History Action Size Date Who CommentSorted ascending
PNGpng process-xref.png r1 manage 110.6 K 2012-11-06 - 17:29 JeanNeron  
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2013-03-26 - JeanNeron
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback