Heurist's security model for database access allows you to manage groups and users and their access permissions in a controlled and centralised manner.

When a user logs in to Heurist they are identified as a Member or Administrator of one or more Groups:

  • Group 0: All Users.
  • Group 1: Database Owners Group
  • Workgroups.

User rights depend on the access control table referenced by the Heurist database into which they log. Many Heurist databases will use the central control table in hdb_HeuristSystem, in which case this central control table determines the group a user belongs to and what roles they have (Administrator or Member). (See Permissions by Role/Group below.)

Other Heurist databases may defer to the access control table in another Heurist database. For example, the students in a class might create databases that get their login information from the control table in a shared class database, in which case the rights will extend across all the databases created by other students (allowing students to log in to one-another's databases, although not necessarily to see any information, depending on how the data is locked to groups).

Permissions by Role/Group

The following describes each group and the permissions for each role by group.

Role / Group

Group 0: All Users

Group 1: Database Owners Group

Group 2+: Workgroups

Description

A notional group consisting of all activated Heurist users in the control table (and by extension everyone who might have access to a Heurist database that references that control table).

The Database Owners Group is created by default for all new databases. The database creator is given the unique role of Owner. A database can have only one Owner.

As well as having administration rights over this group, Administrators in this group are DBAdmins 'SuperUsers' for any database that uses a particular control table and therefore have DBAdmin rights over Group 0 and all other workgroups.

Any number of additional workgroups can be created. The first of these has ID 2 and subsequent groups have ID 3+.

A workgroup is any other set of users (e.g. department, research unit, project group, discipline group etc.), who need to share resources. In order to share the ability to edit records you and your colleagues must be members of the same workgroup.

You become a member of a workgroup if you create a new workgroup or if you are added as a member to the workgroup (by an Administrator of the workgroup).

The person creating a workgroup becomes an Admin of that workgroup and cannot be removed from it.

Logged In User
  • Edit records which do not belong to a specific workgroup (the normal default for new records).
  • View data in workgroup-owned records that are marked as viewable outside the workgroup (the normal default for new records).
  • Bookmark visible records and create personal data such as tags, comments, reminders and notes, as well as saved searches and publication output.
  • Create a database.
  • Create a workgroup.
  • Run some database administration utilities.
  • Export database definitions.



Owner


Register group.


Administrator


  • Add/edit/delete records and field definitions.
  • Clone, clear and delete the database.
  • Run all database administration utilities.
  • Carry out any tasks that the Administrators of individual groups can do (whether or not they are a member of that group). For example:
    • Add, edit and view records specific to any group.
    • Allocate users to any group (as Administrators or members).
    • Change record Ownership to any workgroup.
  • Add or remove members from that workgroup
  • Define or remove group tags.
  • Carry out other tasks (if any) specific to the group.

Member


Being a member of the Database Owners Group confers no special rights; they have the same rights as members of any other group.
  • Make, edit and view all records owned by the workgroup.
  • Change workgroup Ownership of a record to another workgroup of which they are a member.
  • Find, add and delete workgroup tags to/from records.
  • Log into a database that has been restricted to a workgroup of which they are a member.
  • Enter records in the workgroup blog.
  • Manage Workgroups, such as viewing details for other members of the workgroup, but not adding or removing members.

Non Logged-In User

The Heurist publication mechanism, designed for rendering Heurist data within public websites, bypasses the need to log in to view certain types of data. To be rendered in published output, the data must not be marked as belonging to a particular workgroup and/or must be marked as viewable outside the workgroup which owns the record. Personal data created by a logged-in user is never viewable through this mechanism, and it does not allow any modification whatsoever of the database.



Created with the Personal Edition of HelpNDoc: Easily create CHM Help documents