Regular, computed, and dynamic groups

Groups are collective memberships of users that need similar types of accesses and permissions to access application components, such as forms, requests, fields, active links, and active link guides. Groups determine whether and how their members can access the application components.

You can create the following groups by using the Group form:

  • Regular groups—Explicit groups that you create and to which you assign a specific list of users.
    For information about assigning users to groups, see Creating-and-modifying-users.
  • Computed groups—Explicit groups that you create and assign users based on the memberships of explicit groups included in an expression.
    For example, you can create a computed group definition such as (A AND B) OR C AND NOT D. This computed group includes the list of users who are members of both groups A and B, or members of group C, but not members of group D.
    Computed groups make groups easier to manage. You can manage your users in a limited number of regular groups. You can use computed groups based on these regular groups for more complex access control, without the need to make changes in multiple groups.

AR System provides the following types of access control group types:

  • Explicit groups—Groups to which you must manually assign users in the User form.
    When a user becomes a member of a group, the user is given access to all objects and fields to which the group is granted access.
    Explicit groups that you create are defined for a particular server. If you move the objects to a new server with its own defined explicit groups, you might need to resolve permission conflicts.
    To avoid this situation, consider using a deployable application that uses role permissions that can be mapped to different groups on different servers. For more information, see Role-based-access-overview.
    For information about assigning users to groups, see Creating-and-modifying-users.
  • Implicit groups—Groups that depend on specific user circumstances and situations.
    Users belong to these groups based on specific conditions, such as the contents of special fields within each request. You do not directly assign users to implicit groups. Any dynamic groups that you create are also implicit groups.
    For more information, see Controlling-access-to-requests-by-using-implicit-groups-Row-level-security.

The following table provides more information about the access control group types:


Membership in multiple groups

Users often belong to multiple groups in an organization. They inherit permissions from each of the groups to which they belong. If a group has permission to access a form, field, request, active link, or active link guide and a user belongs to that group, the user has access even if the user belongs to other groups that do not have access.

Example

Erin wants to modify the Short Description field in a form. She is a member of three different groups with different levels of access to a form.

As a member of the Public group and the Browser group, she does not have permissions to modify the form. However, as a member of the Graphics Support group, she has appropriate access to view and modify the fields in the form.

Hence, even though she does not have required permission to modify the form via two other groups, her membership to a group with required permission helps her modify the form.

Based on the example, the following image shows how permissions work:

221_permissions example.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*