You can set the authority for each group you belong to and control the reference/update of the registered data.

Although it is possible to refer and update registered data between accounts belonging to one group, you can use it like refusing to update from account belonging to another group by only referring.

this isModel unitSet it with.

Group authority management uses jgroup which is "group" model provided by Wagby.It is linked with juser which is a model managing logon account, and logon account can belong to multiple groups.

How to create a group is "Account> How to use the groupPlease read.

Figure 1 Group model and account model

For each model, select the pattern combining the two authorities "R: Reading authority" and "W: writing authority".

Figure 2 Setting Group Permissions

Each pattern is set as shown in the table below.

pattern Data registrant Identical affiliated groups Other affiliated groups
R W R W R W
pattern 1 - - - -
Pattern 2 - - -
Pattern 3 - -
Pattern 4 - -
Pattern 5 -
Pattern 6 (Initial value)

Patterns are arranged in descending order of constraints.The initial value is "pattern 6" (no restriction).

The system administrator can view and update all data (regardless of pattern setting).

When using this function, Wagby adds the item "data owner" and "data owner's belonging group" (for group authority management used internally) to the table definition of the related model.

Therefore, the table structure changes after setting change.Delete all existing tables and recreate the table.

When changing the group to which the user belongs after registering data

Even if you change the user's group after data registrationExisting data is not affected."Group belonging to owner set at data registration" is maintained.

I will explain this by using group authority of "pattern 5" as an example.

Group to prepare

Group ID (primary key) group name
1000General Affairs Department
1001Sales department
1002Technology Development Department

Create an account

account name Group membership
satouSatoGeneral Affairs Department
suzukiSuzukiGeneral Affairs Department
yamadaYamadaTechnology Development Department

When Sato registers data

Sato will register customer data (ID: 1).

Customer ID Creator (data owner) Affiliation group of data owner Operation of Sato Suzuki's operation Operation of Yamada
RWRWRW
1satou1000 -

Sato can read and write for the principal who registered the data.
Suzuki is the same group, so I can read and write it.
Because Yamada is a different group, it is only allowed to read.

After changing the affiliation group of Sato

We will change the affiliation group of "satou" (Sato) to the Technology Development Department.This operation has no effect on already registered data.

Customer ID Creator (data owner) Affiliation group of data owner Operation of Sato Suzuki's operation Operation of Yamada
RWRWRW
1satou1000 -

Despite changing Sato's group, Suzuki can read and write, Yamada is read only. this is,Since the registered data holds the ID of the belonging group at the time of registrationis.

When Sato registers new data

For the data that you registered after changing the affiliated group, the changed group will be applied.

Customer ID Creator (data owner) Affiliation group of data owner Operation of Sato Suzuki's operation Operation of Yamada
RWRWRW
2satou1002 -

When you want to change "data owner" of data that Sato registered in the past

Even if the group to which Sato belongs changes (because the data creator is Sato) data of customer ID 1 is readable and writable as it is.If you want to change the data owner on the operation policy, please follow the procedure below.

  1. Log on as a system administrator or group administrator (described later).
  2. Open the data update screen.
  3. Since the item "data owner" is displayed, we will modify this to an account other than Sato.At this time, the group to which the data owner belongs is also changed at the same time.
Figure 3 Changing the data owner
In terms of operation, there is also the idea of ​​preparing an account called "data owner (general affairs department)".Changing the data owner is to replace it with this account.(It is assumed that someone will not operate the system with this account.)

If you want to change only the group to which the data owner belongs, leaving that Sato is the data owner

Follow the procedure below to change.

  1. Log on as a system administrator or group administrator (described later).
  2. Open the data update screen.
  3. Since the item "data owner" is displayed, we will correct this once to account other than Sato.(Ex: admin)
    "Data owner's belonging group" is Wagby'sReference linked self model save functionI am using it.In order to correct this value, you need to change the reference destination.
  4. Open the update screen again.Select "satou" again for "data owner" and save it.

For each group, you can prepare a "group manager" with special authority for the data in the group.

"Group administrator" is provided as a principal, but this can be selectedWhen the authority of the group administrator exceeds the authority of the (affiliated) group.Specifically, it is the following pattern.

pattern Identical affiliated groups Group administrator's authority
R W
pattern 1 - - RW
pattern 1 - - R
Pattern 2 - RW
Pattern 4 - RW

Take pattern 2 as an example and explain it.Accounts belonging to the same group are usually allowed to read.However, since the group administrator has strengthened the normal authority, you can write (register, update, delete) data.

Group Administrator Principal Selection

The group administrator is prepared as a principal.Therefore, you can appoint multiple accounts as group administrator.

As shown in Figure 4, two types of principals are prepared.

Figure 4 Two group administrator principals

"Group administrator" can perform proxy registration in addition to manipulating data with the authority of the group administrator.
"Group administrator (proxy registration impossible)" can operate data with the authority of the group administrator, but can not perform proxy registration.

System administrators or group administrators can proxy data by changing the item "data owner".

The authority of the group administrator must be "RW".Proxy registration is not possible with "R".

Preparation (setting of principals)

Give the principal "group manager" and "account viewer" to the account that can be registered proxy.(Note that the system administrator can always register as proxy without giving them separately.)

Figure 5 Give group principals and account viewers principals

Do proxy registration

In account Sato prepared in Figure 5, open the customer data registration screen.As shown in Figure 6, you can see that the item "data owner" is displayed and can be changed.(This item is invisible except for system administrator or group administrator.)

Figure 6 Data owner item is displayed

You can change to another account.(Fig. 7) Since Sato is a group manager, it is limited to accounts belonging to the same group to which he belongs.

Figure 7 I changed the data owner

To cancel the group authority management, set the "authorization pattern" setting to pattern 6 (default value; no restriction).

  • If you do not prepare the search/list display screen for that model, you can not use the group privilege.(The setting will be invalid.)
  • Please do not prepare the update button on the list display screen of the model which has the group permission enabled and the update restriction is done.When using group privilege, the control that allows only authorized users to press the update button prepared on the detail screen works but does not correspond to the list display screen.