Privileges and Permissions¶
Vinyl's security model is composed of the following concepts:
- Users
- Groups
- Privileges
- Roles
- Permissions
Groups and Privileges¶
Groups organize users. Security administrators grant groups privileges to applications and data sources. If a group is granted privilege to an application, the group is automatically granted privilege to any data source referenced by that application.
Roles and Permissions¶
Data sources may define roles. Roles organize permissions; permissions determine a role's access rights to data objects.
Permissions may grant one or more of the following access rights to a data object:
| Permission | Description |
|---|---|
| Read | Allows users to query the data object. |
| Insert | Allows users to insert records into the data object. |
| Update | Allows users to update records in the data object and execute user-defined events. |
| Delete | Allows users to delete records from the data object. |
Note
If you do not see Role changes apply to Users, navigate to the Vinyl IDE > Additional Settings > Flush Cache.
Data Source Authorization¶
Data sources are secured using one of two authorization models. The authorization model is determined by whether or not the data source defines any roles. The data source authorization models include:
| Model | Description |
|---|---|
| Data source authorization | If a data source does not define any roles, users with privilege to the data source have full permission to all data objects within the data source. |
| Roles-based authorization | If a data source defines one or more roles, the data source is using roles-based authorization. In which case, in addition to granting groups privilege to the data source, security administrators must add the group to one or more data source roles. |
Application Authorization¶
Security administrators can grant a group privilege to an application or a data source. Users can only access an application if they have been granted privilege to the application. As noted above, granting privilege to an application grants privileges to any data sources referenced by the application. The reverse is not true: granting a group privilege to a data source does not grant that group privilege to applications that reference the data source.
Page Authorization¶
In Vinyl, developers secure data objects, not pages. However, the following page controls bind to data objects:
- Grid panels
- Form panels
- Charts
- Lists
A user has permission to a page if and only if the user has Read access to all data objects used by the page.
If a user requests a page to which he or she does not have access, then the user will receive an "Access Denied" error. Vinyl hides or disables links to pages that users cannot access. Therefore, such errors are only likely if security is misconfigured or if the user navigates directly to a page (e.g. by clicking a link in an email).
Menu Links¶
When constructing menu links, Vinyl will analyze each link to determine if the user has access to the target page. If the user has access to the page, the link will appear in the menu. Otherwise, the link will be hidden.
Page Links¶
Similarly, when rendering a page, Vinyl will analyze each page link to determine if the user has access to the target page. If the user has access, the page will render as designed. If the user does not have access to the target page, Vinyl will modify the page accordingly:
- The grid panel's link icon (Chevron or Popup) is hidden. In addition, the double-click action is disabled.
- Grid panel columns defined by controls that are not data-bound (e.g. Buttons) will be hidden.
- Controls within grid or form panels that are data-bound (e.g. Text, List) are rendered un-clickable.
Page Controls¶
When rendering a page, Vinyl will hide or disable page elements based on the user's access rights to the underlying data objects. This includes:
| Access Right | Affects |
|---|---|
| Insert | * The grid panel's Add button will be hidden. |
| Update |
|
| Delete |
|