Meta security


The previous page: Workflow transitions


Meta security - configures the security rights of the system objects. It can be classified into two types: static security and dynamic security.

Static security - configures the access rights to the system objects for the particular role.

Dynamic security - configures the access rights to the system objects for the particular user, under some conditions, while group dynamic security is the access rights for the security group.

You can configure the dynamic security in the deploy.jsonand the acl/resources-and-roles.yml. But for the static security use the acl/resources-and-roles.yml file exclusively.

How to form resource identifier?

  • navigation node - n:::namespace@code
  • class - c:::classname@namespace
  • object - i:::classname@namespace@id
  • attribute - a:::classname@namespace.propertyname
  • geometa:
    • navigation node: geonav:::code of the node@namespace
    • layer: geolayer:::code of the layer@namespace
    • data: geodata:::code of the layer@namespace@query index
  • paths (of modules):
    • portal module: sys:::url:portal/*
    • geomap module: sys:::url:geomap/*

Types of rights


read - is the right to view information about class objects. It sets the permission to view the class objects as “read-only” and prohibits the creation/editing of objects.


write - is the right to create the class objects. It sets the permission to create new class objects and prohibits editing of existing ones.


use - is the right to create the class objects. It sets the permission to create class objects and to use them in the references and collections.

Without use - references are also displayed in the collections. If there is read, but no use, then it is impossible to select an object and place it in the collection.


delete - is the right to delete the class objects.


full - is the right of full access to the class objects.

If the project in has a value associated with the current user (pulling an organization as a global user role is set), then you should consider the current user PROJECT_BENEFITIAR and check the rights to the pm:project resource - these rights will be the rights to the project.

pm:project - is a kind of virtual security resource. It is necessary to abstract the access settings from the checked object for different roles. You can specify different resources for one class and vice versa.

If you did not specify a resource, then the rights to the class object will be checked. Then this role can be used as static, which means, to issue static rights dynamically.

When specifying sids, each level of nesting arrays of values changes the type of operation AND/OR. At the first level, the OR is applied.

  1. Register a user with full admin privilege - admin.
  2. As admin in registry in the Security, Divisions section set up a hierarchy of divisions (division code = security identifier).
  3. Register a user without full admin privilege - user.
  4. As admin in registry in the Security, Divisions section create an Employee, specify the User with no rights in its User attribute. Bind the employee to the subordinate division.
  5. Connect as user - you have no rights.
  6. Connect as admin- give the rights to arbitrary classes and navigation nodes to roles, corresponding to the highest division.
  7. Connect as user - you have an access to all objects of the division.
  8. Similarly, we check the rights throughout the hierarchy of divisions.

Example of the configuration in deploy.json

How to display attributes and objects in accordance with specified rights?

The class [Projects] contains the attribute of the “Collection” type - [Events]. If the [Events] class does not have “read” access, then the attribute of this class is not displayed on the view form of the [Projects] class.

If there is dynamic security for a class, then whether you have read access to the class [Events] or not - the attribute on the form of the class[Projects] will be displayed, but the event objects will be displayed only if you have rights.

NB: it is necessary to set both static and dynamic securities for a class by the attribute reference to display the attribute and objects.

If there is a static “read-only” right for a class, the user will see all objects of this class, regardless of the dynamic rights. In addition, a sample of objects will be made. Objects that are configured for dynamic security will be displayed to the user in accordance with their settings.

The next page: Meta report

Licence   Contact us   English  

iondv metrics

Copyright (c) 2018 LLC “ION DV”.
All rights reserved.