If protected operations (operations) exist in an object that can be done only by authorized user, then the object contains also the "Permission"
tab. The tab contains a list of all permissions for the object, cannot be changed by a user and it depends on the object type (e.g. the permission list of the PmaRoot
object on the "Permissions
" tab is different than the permission list of the PmaPanel
object on the "Permissions
By the Edit permissions
button it is possible for each permission to edit a list of the authorized user groups for which the protected operation is allowed.
Thanks to the definition of permissions in objects by a list of authorized user groups
(and not by the local or network users), it is possible to easily add or remove the local and network users. Those are put into proper user groups and no changes in the configuration of individual objects are needed. The change is done only centrally on the "Users
" tab. Then the groups have the logical sense and they are used only for the definition of permissions (e.g. $ADMIN
System users and user groups overview:
: system user group, represents any local or network user (logged-in, not logged).
: system user group, represents any local user (logged-in, not logged).
: system user group, represents any network user (logged-in, not logged).
: system user group, represents user group with administrator permissions.
: system user group, represents user group with permissions of normal user.
: system user, represents a non-logged network user.
Basically there are two possibilities how to create the request for performing protected operation on the running application:
- request arose locally: the list of user groups according to permissions is went through and compared with the local user that just logged in
- request arose in the network: the list of user groups according to permissions is went through and compared with the network user mentioned in the network request to the operation
Validating the permissions of the logged-in user in order to execute the protected operation. The evaluation itself (over the PmUser
object)follows these steps:
1) Determine if the request for an operation was created locally or in the network.
2) Determine the identifier of the local user or network user that evoked the request. In the case of combination of the net user defined by name/password and IP address there may be two identifiers.
3) Comparing the user identifier with the user groups according to permissions. The operation is enabled if the user is a member of one of the mentioned user groups. If there are two identifiers present, the comparison is executed for each one and one successful result is sufficient for operation execution.
All comparations when finding an occurance of the user identifier in the list of authorized groups, ends with the success immediately after finding the group where the user is a member.
If the whole list is passed and the user is not found in it, then the search ends with the failure and the operation is not allowed.