Access restrictions for administrators

In application development and production environments, you might want to provide different levels of access to your administrators. The following Developer Studio features enable you to define access restrictions for administrators:

Related topic

Operations-on-objects-restricted-by-development-mode

Mode assignment based on access restrictions

To allow external customers the ability to configure extensions and customizations to their applications, and to ensure that upgrades can be implemented without affecting these changes, Developer Studio  includes Best Practice Customization mode.

Members of the Administrator, Sub Administrator, Struct Admin, and Struct Subadmin groups by default can create, modify, and delete all base, overlay, and custom objects to which their group memberships give them access. By adding an overlay group to these user's group lists, you can restrict them to only overlay and custom objects (or only to base objects). For more information about Struct Admin and Struct Subadmin groups, see Creating-an-Administrator-security-role.

You can add a read-only functionality to the members of the Struct Admin group. By adding this functionality you can allow the members to view and export objects, but restrict them to create, modify, delete and import all base, overlay and custom objects.

Important

Any user assigned to the Administrator, Sub Administrator, Struct Admin, or Struct Subadmin group must have a fixed license or the group assignment is ignored.

To restrict a user to creating, modifying, and deleting overlay and custom objects, but not base objects, and without access to data or administrative functions

  1. Create a group with Overlay Group field value 0. Add the user to this group.
  2. Add the user to the Struct Admin group.
  3. Create a permission group named Struct Admin. Add the user to this group. You'll use this group to grant access to system forms that are otherwise visible only to Administrators. For more information about Struct Admin permissions, see Struct-Admin-group-permissions.
  4. Make sure the user has a Fixed license.

To restrict a user to creating and modifying only certain overlay and custom objects, without access to data or administrative functions

  1. Create a group with Overlay Group field value 1. Add the user to this group.
  2. Add the user to the Struct Subadmin group.
  3. Create a group and add it to the Administrator lists of the objects you want the user to access.
  4. Add the user to this group.
  5. Make sure the user has a Fixed license.
    Struct Subadmin users are very similar to Sub Administrator users; they both get permission to an object via the object's Administrator group list. Neither Struct Subadmin or Sub Administrator users have special access to the forms mentioned in Struct-Admin-group-permissions.

To restrict a user to creating, modifying, deleting, and importing all base, overlay, and custom objects, with access only to viewing and exporting definitions

  1. Create a group with Overlay Group field value 999999999. Add the user to this group.
  2. Add the user to the Struct Admin group.

Overlay Group field

The Group Information form contains an Overlay Group field, with the values defined in the following table.

Overlay Group field values

Important

Do not assign an overlay to a computed group. If you assign an overlay to a computed group, the ARERR 8821 warning occurs and the computed group is saved with Overlay Group as NULL in the AR System server.

To create an administrator that has access to only one development mode at a time, create a user with the following Group List settings:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*