Planning an Authorization System
Before we start to explain details about where rights can be specified, this document lists some basic matters about right assignment.
The following tips and tricks serve to support you in setting up your own authorization system:
- Start developing the structure of your authorization system immediately after installation and before creating the first objects.
- Write down areas to be administered by your AE system. As an AE system consists of individual clients which are not connected to each other, large areas should be administered from extra clients. Highly sensitive areas can so be excluded and access only be granted to particular users.
- Agent rights are also defined on level. You can decide for which client an is assigned and for which it can be used.
- Additional partial areas can be defined within clients. As rights are assigned via names, a coherent naming convention is extremely important. Administration becomes easier and the risk of accidentally assigning too many rights can be minimized.
- A naming convention can be based upon execution processes that should be handled by AE. Names can include areas, computer names, operating systems or company-internal terms. Administrative rights can exclusively be assigned to objects whose names start with "ADMIN", for example.
- Users play a crucial role in an authorization system. They should be administered via user groups as this saves time, is more comprehensible and significantly increases your AE system's safety. Authorizations that can be assigned to users are available in the form of rights for objects and for functions (e.g. access to Transport Case).
- Folders are objects and therefore rights can be assigned to them. Nevertheless, specifying rights does not prevent access to objects stored in them. A who is not allowed to access a particular folder could still access an object of this folder (e.g. if it is used in a . The "Edit" command is available from almost anywhere, hence also in workflows). Therefore, objects that should not be accessed by particular users should also be protected.
-
Exclusively assign rights referring to object names and types.