User and group access overview
Each access control group is defined for a particular server. An access control group has permissions that determine whether and how its members can access application components, such as forms, requests, fields, active links, and active link guides. (Administrators can also set default permissions for each component type so that whenever they create a component, selected groups automatically have access to it.)
Users are assigned to groups according to their need to access information. For example, you might create a group called Employee Services Staff whose members are permitted to view and change only certain fields in an Employee Information form. You might have another group called Employee Services Managers whose members are permitted to view and change all fields in the Employee Information form, including salary information. You can also configure a hierarchical relationship between groups to allow the parent group to inherit the permissions of the child group.
AR System has predefined groups that perform specific functions. In addition, you can create any number of custom groups in AR System to enforce access control. You can also permit unregistered users to access AR System as guests. Guests are members of the predefined Public group.
Types of access control groups
The following table lists the types of access control groups. AR System provides the predefined groups, but you must add custom groups to your system.
Type of access control group
A group to which you must assign users.
Any regular and computed groups that you create. Regular groups are groups to which you assign a specific list of users. Computed groups are groups to which users are assigned based on their memberships in groups included in an expression. For example, you can create a computed group definition such as (A AND B) OR C AND NOT D. This computed group includes users who are members of both groups A and B, or members of group C, but not members of group D.
A group to which a user automatically (or implicitly) belongs by virtue of the contents of certain fields in a request. You cannot assign users to implicit groups. All users are members of Public. You use the other types of implicit groups to control access to requests (row-level database access).
Any dynamic groups that you create. Dynamic groups use the contents of special fields to determine group membership.
Additive access control
Access control in AR System is additive. This means that each user in AR System begins with no permissions. Administrators then add permissions as needed.
The server verifies the permissions of an object to determine if access to the object is granted. If access is granted at any step along the decision tree, as shown in the following figure, the user has permission to access the object. As you add permissions to various AR System objects, users have access to the object if they are members of any group with access or any role that maps to a group with access.
In this example, Lydia Lan is a member of two groups: Engineering and Engineering Managers. The Engineering group does not have access to Form1, but the Engineering Managers group does. Thus, although Lydia does not have access to Form1 through the Engineering group, she does have access through the Engineering Managers group.
You must assign permissions to every application, form, field, active link, active link guide, packing list, and web service that requires access control. Start by designing the access control for your application or forms. To save time and prevent errors, define default permissions before you create objects and fields. You can also use a batch Edit dialog box and the Assign Group Permissions dialog box to change permissions for multiple object in one operation. For more information, see Assigning permissions.
Membership in multiple groups
Users often belong to multiple groups in an organization. They inherit permissions from each of the groups to which they belong.
If a group has permission to access a form, field, request, active link, or active link guide and a user belongs to that group, the user has access, even if the user belongs to other groups that do not have access.
How permissions work