Access to records is organized in the OWNER-GROUP-WORLD scheme. According to this scheme a record always belongs to one owner and one owner group. The one who creates the record becomes its owner and the group he is working in becomes the owner group. The owner is the only one who can change the access rights for these data. He can do that for himself (OWNER), the members of his group (GROUP) and all other users (WORLD). The following maximum access privileges can be granted:
Access | Privileges for Owner, Group or World |
No Access | No access to records. (1) |
Read | Records can be only read |
Write | Records can be read and written |
Delete | Records can be read, written and deleted |
(1) For users without any access the records can be shown either not at all or as dotted lines in masks. This is determined by the default variable DISPNOACC (ON = dotted line, OFF = no display)
Furthermore the owner can pass a record to another owner or owner group. If for the new owner a password is defined, it will be requested.
For the display and modification of owners and privileges of a record there is a special access form. Managers can open this form at all DataView system masks in the Select menu using the standard function Access. It is used there to protect meta data of the application during application development. In the application itself you can call the access form with the help of the standard menu userexit iwf_frm_acc (as a rule used in Select menus of user masks). Thus you protect user data.
Example: In the Select menu of the list Inflexible Endoscopes the access function was installed. The Sales Manager has entered an arthroscope and opened the access form for the newly-created record.
She will be displayed as the owner, her group is the owner group. DataView has automatically assigned the default values d, w and r for OWNER, GROUP, WORLD. The Sales Manager is the only one to be allowed to change these entries for the newly-created record. Fro instance she could grant her colleagues in the Sales group read only privileges (r = GROUP). This would prevent that another member of the Sales department is able to change the data of the arthroscope. All other inflexible endoscopes could be edited without any limitations, because he has delete privilege in the Sales group and the Sales Manager did not limit access to these records.
If a record is newly created, DataView will automatically grant default access privileges. Which access privileges a record will get depends on the kind of data it represents. The default settings can be user-specifically modified in the system default variables ENTACC and ELMACC.
Users with manager privileges (developing users) always have unlimited access to user records, even if they have been created by end-users. DataView will check no access privilege. In case of a distributed application development (several developing users) this unlimited access of a manager is limited to the user data managed within the model objects (entities, relations, ...) he created.
After an application has been completed, end- or test users without manager privileges have the possibility to open all masks of the application, but they will not be allowed to create or modify user data. They do not get access to mask objects. This is caused by the automatic assignment of default access privileges for WORLD (entities, relations = no access, masks = read) when these objects are created. As developing user you must first release these objects for the end-users. To do so, change the access of WORLD to d (delete) for the model objects of your application (entities, relations, ...). DataView will then automatically extend this access privilege to all masks pointing to these model objects or their database tables. It is not possible to transfer only parts of the data model by granting privileges to certain model objects only.