mydigitalstructure

Controlling access to an organisations data is based on the two key concepts of authentication (Who is it?) & authorisation (What can be seen & done?)

Authorisation is based on a combination of functional and relational access policies/controls.

In a space that holds the data for a single organisation, most of the access controls are functional.

In a space that holds the data for many organisations, eg a collaboration space representing a network of organisations and their relationship to each other, then more of the access controls are relational, supported by functional access controls.

Functional

Relational

Access to data is based on the ability to invoke functions on the data objects and field restrictions.
Access to data is based on relational data* within the space.
* Relationships between contacts & users (represented by their linked contact record).
Access is set up by the space administrator based on user roles (static). Access policy changes as data changes (reflective).
Design/administrator driven. User driven (via the creation of relationships) based on functional access and existing relational access.
Item Description
Relational access control (sharing)
Based on links (relationships) between users and contacts
Quick Start Security Relationship Manager
Relational access control type
  • none: No relational restrictions can see all data as per functional access.
  • standard: Can only see data linked to contacts that the user has a relationship with, and details of contacts that are linked to users within the space.
  • tight: Can only see data linked to contacts that the user has a relationship with.
Functions
mydigitalstructure._util.security.share.link:
  • add: shareWithGUID:, shareWithGUIDType: ['user', 'contact_person'], onComplete:, sharedByContact: , sharedByType: ['person', 'business']
  • remove: shareGUID:
  • find: shareType: ['shared_by_me', 'shared_by_my_business', 'shared_with_me']
Also available as controller: util-security-share-link.
Requires version mydigitalstructure 3.3.7 or later and mydigitalstructure.util version 3.8.4 or later.
Sharing Controllers
Name Description
util-security-share-add
  • shareWithUser:
  • sharedByContact:
  • sharedByType: 'contact_person', 'user'
util-security-share-find
  • shareType: 'shared_by_me', 'shared_with_me', 'shared_by_my_business'
util-security-share-setup
  • shareUserRoleTitle:
  • shareType: ['sharedBy']
Create the user roles required to enable sharing.
Bob the sharer example
Bob (user) needs to be able to share his information with Jane (user).
Bob Jane
Type Shared By Shared With
Contact GUID 431dbdd4-50e5-44f2-bd81-8d9519f7bf0a 21e8456f-a44c-4746-9d32-3cff439198a8
Action Code
Log on as Bob and share with Jane
mydigitalstructure._util.security.share.link.add({
 shareWithGUID: '21e8456f-a44c-4746-9d32-3cff439198a8',
 shareWithGUIDType: 'contact_person',
 sharedByType: 'person'
});
Bob see his shares
mydigitalstructure._util.security.share.link.find(
{
 shareType: 'shared_by_me'
);
Bob removes a share
mydigitalstructure._util.security.share.link.remove(
{
 shareGUID: '[GUID from .find()]'
);
Method based data access control
Controlling the share methods
  • When setting field based restrictions use [[user]], [[contactperson]] or [[contactbusiness]] to set allowedvalues and disallowed values dynamically. Field must be of data type Numeric.
Security object
userDataPolicy =
{
 access:
 {
  all: true
  onlyOwn: true
 },
 share:
 {
  canRequestShare: true
  canSetupShare: true
 }
}
User Role based Access Controllers
Name Description
util-security-access-check
  • roles: [{title:, id:}]
Returns true/false based on if authenticated user has roles:. If title is not set then checks based on id:
util-security-access-view-show
  • roles: [{title:, id:}]
  • selector: element(s) selector
Shows the elements if authenticated user has roles:. If title is not set then checks based on id:
util-security-access-view-hide
  • roles: [{title:, id:}]
  • selector: element(s) selector
Hides the elements if authenticated user has roles:. If title is not set then checks based on id:
Initialising the view queue
You can set the user roles during intialisation. Content will only be added or rendered if the user has one of the user roles.
app.vq.init({queue: 'myqueue', roles: [{ title: 'User Role 1', title: 'User Role 2'}]})
Adding to the view queue
You can set the user roles when adding to the view queue. Content will only be added if the user has one of the user roles.
app.vq.add('
Hello
', {queue: 'myqueue', roles: [{ title: 'User Role 1', title: 'User Role 2'}]})
Showing/rendering the view queue
You can set the user roles when rendering the view queue. Content will only be rendered if the user has one of the user roles.
app.vq.init({queue: 'myqueue', roles: [{ title: 'User Role 1', title: 'User Role 2'}]})
Showing the whole table
Table will only be shown if the user has one of the user roles.
app.invoke('util-view-table', { ..., roles: [{ title: 'User Role 1', title: 'User Role 2' }] })
Showing columns
Table column will only be added if the user has one of the user roles.
app.invoke('util-view-table', { .., columns: [{... roles: [{ title: 'User Role 1', title: 'User Role 2'}] }] }