SEARCH:
Documentation
Database Reference
Previous: dominant Next: group.module

group



An Andromeda database specification will contain security assignments. The security system is based on the idea of assigning rights to groups. Any particular security assignment allows a group of users to access a table (or rows and columns within a table).

Example
group group_id:
   # Required
   description: string
   # Optional application-wide assignments
   permsel: Y/N
   permins: Y/N
   permupd: Y/N
   permdel: Y/N
   permrole:Y/N
   nomenu:  Y/N
   solo:    Y/N
   # Any
   module module_id:

The database specification contains the group definitions, and the granting of priveleges to those groups. Priveleges are granted to tables with the definitions module.group, group.module, and table.group. Column-level security can be granted with table.column#permsel and table.column#permupd. Row-level security can be granted with table.column#permrow.

Any privelege granted within a group definition will apply to all tables in the database. These defaults are overridden by assignments made in module.group, group.module, and table.group.

For an actual user to gain priveleges, a user administrator must add them to one or more groups at runtime.

Properties

group group_id. The first line of a group definition begins with the keyword 'group', a space, and then the unique group name (group_id) followed by a colon.

description. The friendly description of the group.

permsel. The group's default SELECT permission database-wide.

permins. The group's default INSERT permission database-wide.

permupd. The group's default UPDATE permission database-wide.

permdel. The group's default DELETE permission database-wide.

permrole. If Y, members of this group may create new users and assign privileges. Any user who is put into this group has effective total control of the application, as they can assign any kind of security to themselves or others.

solo. If Y, members of this group may not belong to any other group (except the login group). Note that this feature is subvertible under very specific circumstances. Users with permrole authority who have direct access to a database console can assign other users into any group or combination of groups without regard for this setting.

Within a group definition you can further define the group's permissions for specific modules by including group.module defintions.

There is a hard-coded group known as the $LOGIN group. The group is not actually named '$LOGIN', it always takes the name of the database, such as 'andro' or 'finance'. If you wish to make assignments to this default group, such as allowing that group SELECT access to some tables, you can make assignments to the $LOGIN group.

Previous: dominant Next: group.module