Access Level
Broadly speaking access level determines which business objects, attributes, processes, queries, documents and services are accessible to the user that belongs to this access level. First of all we need to explain what “the user belonging to a particular access level” means.
In an application created with Aware IM, just like in many other applications, anyone wishing to use the application has to log in, i.e. provide credentials that identify the user to the application (see Login). In Aware IM anyone using the application must be represented by an instance of a business object. During login Aware IM tries to find the instance of this business object, which has attribute values matching the provided credentials. Therefore the configurator has to define a business object representing a user and the system administrator has to create an instance of this object with the appropriate credentials before the person represented by this instance can start using the application (some applications may allow users to self-register, i.e. the users themselves can create their own instances).
A business object representing the user must be a member of the predefined SystemUsers business object group. Aware IM always creates the default member of this group called RegularUser. Configurators can use this object to represent users of the system and/or define other objects (provided that they add them as members to the SystemUsers group). This group mandates that the following attributes be declared in all its members (if these attributes are not defined they are automatically added to any object when it is added to the SystemUsers group):
LoginNamePasswordAccessLevel
The first two attributes represent user credentials whereas the third attribute represents the access level. When a user logs in Aware IM finds the instance of the object that matches the provided credentials and checks the value of the AccessLevel attribute of this instance. This value is the name of the access level that is assigned to the logged in user (every access level has a unique name). Once the access level has been assigned, access to business objects, their attributes, processes and queries is determined by this access level.
The value of the AccessLevel attribute can be set either explicitly by the system administrator when she creates instances of the business object representing users or automatically by rules attached to this business object (for example, if the user represents an organization the access level may be set depending on the name of the organization).
Configuration of access levels is described in detail in the Adding/Editing Access Levels section.
After the access level has been assigned to the user Aware IM performs the appropriate protection. If a certain configuration element (for example, business object) has been defined as “not available” by the access level Aware IM removes the element from all lists and menus of the application. If an attribute has been defined as “not available” Aware IM removes it from all auto-generated forms and its value is not returned by any query (even if the query is defined to display it) or by any document (even if the document has a tag referring to the attribute). If an attribute has been defined as “read only” Aware IM makes sure that the attribute cannot be edited.
Predefined Access Levels
There are two access levels that Aware IM always creates for any configuration – the “Administrator” access level and the Guest access level. The Administrator access level by default implies no access restrictions whatsoever – all elements are accessible to the administrator. The default business object representing a user called RegularUser is assigned the Administrator access level. Aware IM always creates one instance of the RegularUser object to represent the system administrator. The default values for the predefined attributes of this instance are:
| Attribute | Value |
|---|---|
| LoginName | admin |
| Password | password |
| AccessLevel | Administrator |
System administrators may use the default credentials to log into the application initially and create instances of other users (as well as change their own passwords).
Unlike the Administrator access level the Guest access level is heavily restricted. This access level is assigned to users who may access the application without having to log in (see Guest Entry). Naturally no elements are accessible by default to such users except services.
The default settings for the Administrator and Guest access levels can be changed but the access levels cannot be deleted.
Conditional Access
Access levels protect configuration elements, such as business objects, processes etc, unconditionally, i.e. under any circumstances. If it is necessary to protect business objects or their attributes based on certain conditions business rules invoking the PROTECT or READ PROTECT actions should be used instead of the access level.
For example, in a banking system it may be necessary to protect a transaction once its state has been set to ‘APPLIED’. The following rule will not allow anyone to change any of the transaction’s attributes in this state:
IF Transaction.State='APPLIED' THEN PROTECT Transaction FROM ALL
The following rule disallows changes to anyone but the administrator:
IF Transaction.State='APPLIED' THEN PROTECT Transaction FROM ALL EXCEPT Administrator