Multi-group Support: security profile extensions

Note: See User / Groups for details about how EMu specifies user permissions and how to assign users to more than one group.

The EMu server security profiles have been extended to provide support for multiple groups per user. The profiles are maintained in XML format in a file named security in the database directory. Two new attributes have been added to the <user> tag to provide support for multiple groups:

  • level

    The level attribute defines a label for the user profile. By changing the value of the level label for a given user, a different set of security settings is enabled. The group name is used as the label value for EMu databases. To switch between groups the EMu client changes the level value to match the group of the module with focus, that is, the module with which the user is interacting.

  • Default

    A "yes" value indicates this set of security settings should be used if the client has not set a level value. When the EMu client first connects, a level has not been set as the EMu Registry has not yet been consulted (a chicken and egg problem). Once the Registry can verify the login group, the level is set to the supplied value.

A user security profile is created for each group that a user is registered to use (via the User|user|Group Registry entry). If user badenov has the following Registry entry:

Key User
Key 1 User
Key 2 badenov
Key 3 Group
Value Curatorial;Loans Officer

the following XML security segments are generated:

<user name="badenov" level="Curatorial" default="yes">
 ... 
</user>
<user name="badenov" level="Loans Officer">
 ...
</user>

The security profiles are built by the emusecurity command. This server-side command consults the EMu Registry and builds suitable security profiles for all modules, for all users, for each group a user is in. The command is invoked automatically whenever a User|user|Group Registry entry is created, modified or deleted. emusecurity sets the Default attribute to "yes" for the first group listed for each user.

The security level is set via the seclevel database option. The value of the option is the security level to use. If the option has not been set or the value is empty, the security profile with the default="yes" attribute specified is used. For example, to load data into the parties module using group Curatorial the following commands could be used:

epartiesopts=seclevel=Curatorial
export epartiesopts
texload ....

When using TexAPI, the seclevel is set via the TexOptionSet() call. For example, to change the security level to use group Curatorial for all EMu tables, the following call could be used:

TexOptionSet(session, NULL, "seclevel", "Curatorial");

For perl based scripts, the OptionSet() call is used to alter the security level. For example, to change the security level to use group Curatorial for all EMu tables, the following call could be used:

$session->OptionSet("", "seclevel", "Curatorial");

The seclevel option may be set on a per database basis or a system wide basis.