Security setup
Levels of Security
There are two different levels where security can be applied in netFORUM; the Link level, and the table / column level.
Link Security
Link security is the simplest way of restricting access in netFORUM. It controls where the user is able to navigate to in netFORUM by making links available or unavailable. For example, some users may be able to see the Accounting tab, while others cannot. Some users may be able to see a link to the invoice profile, while others cannot. The key thing to know about this type of security is that it is not absolute; while you may restrict the Accounting tab from a particular security group, the multiple ways to drill down into your data in netFORUM create possible 'backdoors' into the module. In essence, there are many ways to get to any given point in netFORUM. In order to completely prevent access to a given point, you must restrict all of the paths that lead to that point.
Table/Column Security
Security on the database table/column level is a much more absolute way of setting security. This level of security is modeled after SQL Server's database table/column security, in which groups have explicit permissions on a table to insert a row, select a row, delete a row, or update a row. Additionally, groups can have granular permissions on specific columns within a table. Using this level of security, access to areas of the database may be restricted more precisely.
Please note, however, that the table/column level of security is much more intensive to set up than link security. netFORUM has more than 500 tables (excluding Extender Tables) - if you want to implement this level of security in all of your groups, you must do considerable research to determine which database tables correspond to which functional areas and netFORUM forms. For this reason, for most netFORUM installations, we recommend issuing 'Grant' permissions on all tables to all groups, and then restricting access through Group/Item/Link security. With this security configuration, all groups will have rights to manage any data, but they will be effectively prevented from doing so by the inability to navigate to the forms that allow a user to manage the data.
That being said, you may wish to use table/column security to create a 'read only' level of security, or to hide a single field on a form.
How Much Security is Needed?
This is a question that we can't answer for you — you have to decide for yourself. Baseline netFORUM comes with a few security groups already created; you can use these and simply modify them to your needs — or you can start from scratch. If you intend to implement significant table/column level security, it's generally easier to start from scratch.
Managing Security Groups
In general, the easiest way to implement multiple levels of security is to start with the lowest level first and then build upon that using the copy feature. Before you begin, you must consider exactly what security groups you intend to implement. Remember that the security groups stack (or are additive) in the sense that if a user is a member of multiple groups, then they will be eligible for the highest security levels of any of their groups. There is one exception to this - any 'Deny' permissions on permission within a table or a column will override any 'Grant' permissions. The next section of this document will guide you through the steps of creating multiple levels of security groups from scratch — starting with a read only access group.
Creating Security Groups from Scratch — Step 1 — Adding a New Group
As mentioned previously, the first thing you need to do is determine what groups you are going to create. For our example, we are going to create five security groups:
- Read Only
- CRM
- Committees
- Events,
- SSN Deny
Please note: in order to complete the exercises described in the remainder of this document, you must be in the netFORUM Admin security group or otherwise have access to the Admin and Toolkit content group tabs.
The first group we're going to create is the read only security group. To create a new security group, go to the Admin tab, and then click the 'Group' link.
This will bring you to a list of all of the current security groups in netFORUM. Please note: you should not delete any of the security groups which are listed below. Click the 'add group' link.
Enter the name of the security group and a short description, then click the 'Save' button. NOTE: The security group should be one word and not contain spaces.
Populate Group Privileges
Next, run the Populate Group Privileges process, accessed from the link on the Admin overview page.
For the read only group we are creating now, choose 'grant' for the two select privileges, and 'undefined' for all other privileges. This will allow the user to look at everything, but not make any changes, additions or deletions. Click the Continue button once you have made your selections. The process will run, and you will be prompted to close the window once it has completed.