Group Column Privilege

Group Column Privilege defines the read and write privileges that users in a netFORUM Group get on a particular Column. These privileges are defaulted/initialized by the Populate Group Privileges process. After that, an administrative user in iWeb with the proper privileges may define these privileges with more granularity.

Group Column Privileges can only be used to scale back Group Table Privileges. Put another way, Group Column Privileges cannot give more security than what is defined in Group Table Privileges. For example, Group Table Privileges may define the select privileges as Grant for the co_individual table. Generally, all the Group Column Privileges for that Group and the Columns in that Table will also have select privileges defined as Grant. You may, however, on a column-by-column basis, restrict the rights on a particular column. For example, you might change the update rights on ind_dob to be Deny but keep the select rights as Grant. Doing so will make this column read-only (you can select it but not update it). For ind_ssn you might make both the select and update privileges be Deny; this will in essence make that column be invisible -- you cannot select it and you cannot update it.

The Undefined setting will neither grant nor deny permissions on a particular column. If the user belongs to another Group that does have grant permissions on the column, then the user will have that privilege on the column, unless the user is in another Group that has deny on the column.

Suppose a particular Group does not even have select rights on a table -- let's say these are left as Undefined. In this case, even if you make certain columns in this table have select rights, it will not matter -- if the user does not have select at the overall table level, then there is nothing you can do at the column level to overcome this restriction.

Uses

See Populate Group Privileges for the impact of this table on a user's security.

Controls

  • Group fw_group_column_privilege.gtp_grp_code - The security Group
  • Table fw_group_column_privilege.gtp_mdt_name - The Table
  • Column fw_group_column_privilege.gtp_mdt_name - The Column
  • Select fw_group_column_privilege.gtp_select - Permission level: Grant, Deny or UnDef (undefined)
  • Update fw_group_column_privilege.gtp_update - Permission level: Grant, Deny or UnDef (undefined)

Note: For more information about each of these columns, search Fw group column privilege on the Wiki.

FAQ

Q. I'm confused about the conjunction of Group Column Privileges with Group Table Privileges. If the Table has Deny, but the Columns are Grant, do the Columns need to be updated to also be Deny?

A. No. If the Table is deny, then the Columns cannot "grant back" what the Table has taken away. Column Privileges can only restrict what is in the Table Privileges. See Populate Group Privileges for more.

Q. If the Table is Grant but the Column is Undefined, can the user perform the operation on the Column?

A. No. The user must belong to at least one Group that has Grant permissions on the column, as well as Grant permissions on the Table via Group Table Privileges.

See Also

  • DisableFieldLevelSecurity system option to disable this feature if you do not intend to use it. For more information on this system option, search DisableFieldLevelSecurity on the Wiki.