You can restrict specific user or role access to create, read, update, and delete database operations by configuring the access from class definitions to access groups. You control the access using properties on the interface definitions found on the SPFClassDefAccessGroup and the SPFRelDefAccessGroup relationship definitions for the access group. The property values selected are displayed when you manage access groups.
For example, the image shows User 1 and User 2 have read-only access to Class Definition 1 through Access Group 1, but User 2 has read and modify access to Class definition 2 through Access Group 2.
When you manage access groups for a user or role in the Manage Access Group dialog box, you can view the create, read, update, and delete properties that have access configured for each access group.
SPFClassDefAcessGroup relationship definition
You can grant access to the read, modify (create and update), and delete operations for the SPFClassDefAccessGroup relationship definition by setting the enumeration property in the ISPFClassDefAccessGroup interface definition.
|
Interface Definition |
Property Definitions |
Scoped By |
|---|---|---|
|
ISPFClassDefAccessGroup |
SPFClassAPIRead |
Enum |
|
SPFClassAPIModify (create and update) |
Enum |
|
|
SPFClassAPIDelete |
Enum |
For example, the image below shows the Manage Access Groups dialog box for the access groups for the SPFLoginUser class definition:
-
APIRead - Each access group has read-only access as no property has been set.
-
APIModify - Only WorkflowAdmin has access granted to modify.
-
APIDelete - Only FDWDocumentControl and SystemAdmin have access granted to delete.
If a property is left blank, such as for APIRead, the operation is available to each access group as no relationship is set between
the class definition and the access group. However, if an access group is granted
access to an operation, such as WorkflowAdmin with APIModify, the other access groups
do not have access to that operation without a grant.
SPFRelDefAcessGroup relationship definition
You can grant access to the create and delete operations only for the SPFRelDefAccessGroup relationship definition by setting the enumeration property in the ISPFRelDefAccessGroup interface definition.
|
Interface Definition |
Property Definition |
Scoped By |
|---|---|---|
|
ISPFRelDefAccessGroup |
SPFRelAPICreate |
Enum |
|
SPFRelAPIDelete |
Enum |
For example, the image below shows the Manage Access Groups dialog box for the SPFLoginUserDefaultRole relationship definition.
-
SystemAdmin - Has access granted to create and delete.
-
FDWDocumentControl - Only has access granted to create and delete because the Drop12 and Drop21 properties (which control create) and the Ter property (which allows a user to terminate relationships) are set to True, which overrides any security access property setting.
-
SDAWorkflow - Has no access to create and delete. The column is blank as the ISPFRelDefAccessGroup interface definition properties have not been set between the relationship definition and the SDAWorkflow access group.