Tips & Tricks - Permission-based data access
This workshops shows you how data records can be shown based on permissions. Sound Intrexx and SQL skills are a requirement. Make sure the expert options have been activated so that all of the dialogs explained in this example are available. For errors caused by incorrect implementation, INTREXX GmbH does not provide support and assumes no liability.
A common method to implement access authorization for individual records is to add an text data field to the data group, which contain the records that access should be restricted to, and to then assign user objects to this field using a distribution control. In a view table within an application, a filter is then be defined, which compares the currently logged-in user with the user objects saved in the text data field and checks whether this user is allowed to read the record. This type of filtering achieves the desired result for this use case, but it is not recommended in terms of performance. Especially in portals with a large number of users and groups, this may lead to very long loading times among others. Performance can be improved by carrying out a comparison with values in child data groups. In this cause, authorized user objects are saved in a child data group and assigned via a foreign key filter with a subselect.
The multiple selection element can be used on any edit page in the data group that access permissions should be defined for. Select the option "Users and groups" on the Data source tab in the properties of the element.
On the Save options tab, select the option "Data group". By clicking on "Create new child data group", a new subordinate data group will be created. This data group is automatically named "Values of distribution list control". Three data fields are also created automatically:
-
PK – primary key: The unique key of the new data group.
-
FK – Foreign key: Corresponds to the primary key of the parent data record for which a permission is to be stored.
-
Distributor – Saved value: The respective user object selected by the user in the Users and Groups selection in the browser is stored in this data field. If multiple objects are selected, a corresponding number of records is saved in the child data group.
Now, the filter XML of the desired view table needs to be modified.
Switch to the page that contains the table to be filtered and open the properties of the table. On the "Data" tab, click on "Filter" and then on "Edit filter in expert mode".
<filter guid="EFC6F080E119E0D3AD5B8C9E0458EDE8054AFA0A">
<exp op="" type="in">
<arg content="GUID_1" type="fieldguid"/>
<arg type="statement">
<select content="GUID_2" type="tableguid">
<field content="GUID_3" type="fieldguid"/>
<conc op="and">
<exp op="" type="in">
<arg content="GUID_4" type="fieldguid"/>
<arg content="orgstruct" type="userattribute"/>
</exp>
</conc>
</select>
</arg>
</exp>
</filter>
When you open the editor, a <filter> element is already defined. Keep it and remove the close symbol / at the end of the element. The insert the remaining script above without the first line. Replace the following values:
-
GUID_1: GUID of the primary key data field of the parent data group
-
GUID_2: GUID of the child data group "Values of distribution list control"
-
GUID_3: GUID of the foreign key data field of the child data group
-
GUID_4: GUID of the data field "Distribution list" of the child data group
After saving the application, you can test the application in the browser by creating different records with different users and then logging in to the portal accordingly.