Clauses for Access Rights

enaio® 11.0 »

Access rights can be made to depend on a clause. The assigned right will only be granted when the clause has been fulfilled.

Follow these steps to create clauses:

  1. Open the Security system window.
  2. Click the User groups (access rights) tab.
  3. Select a user group from the User group list and choose an object type in the right-hand window as well as an assigned right in the bottom window.

  4. Click the Clauses button.

    The editor will open.

    enaio_pic

  5. Create the clause in the editor.

    The Info button shows the object type’s object definition. For multilingual catalogs, the technical and language-specific values are shown. The technical values are used.

    Press Ctrl+Space to get input support in the form of a suggestion list.

    Entries can be selected, copied, inserted, and deleted via the context menu.

  6. Check the clause.

    The check shows the corresponding SQL statement with the current values of variables.

    If you click Run then the SQL statement will be executed. The number of hits will be shown. Meaningfulness depends on the data pool and the current values of variables.

  7. Confirm by pressing OK.

The clause is shown on the User group tab. Press Save to save changes you made to the security system.

Clauses for access rights can have the effect, for example, that users lose access rights to the object they are currently working on after creating it, editing its index data, or creating a copy, and can no longer find or research it afterwards.

Clause Syntax

A clause consists of a field, an operator, and a constant or variable value. Several clauses can be logically combined, and combinations can be organized using brackets.

Fields

The index data fields of an object and basic parameters are available as fields. The editor offers all fields of the object in the suggestion list (Ctrl+Space). You can also include the folder fields for document type and register type clauses.

Name:

  • Field names with square brackets: [To:]
  • Internal names with curly brackets: {MAIL_TO}
  • Database names without brackets: field1
  • Basic parameters with 'sys' prefix: sys'creator'

For exporting and importing into other systems, the spelling of the field names of clauses must match the data of a system into which the data will imported.

The following basic parameters can be used:

sys'created'

Date created

sys'creator'

User who created the object

sys'archiver'

Archivist

sys'archived'

Archive date

sys'mimetypid'

Mime type ID

sys'modifytime'

Last modification time

sys'modifyuser'

User who last modified the object

sys'retention'

Retention time

sys'retention_planned'

Planned retention time

Operators

The following operators can be used:

=

equal to

!=

not equal to

>

greater than

<

less than

>=

greater than or equal to

<=

less than or equal to

in
not in

contained in
not contained in

between
not between

within a range
not within a range

a clause in field, operator, and value can also have the prefix 'not'.

Constants

Constants are dependent on the database field type.

Character Fields

Type: 'All characters', 'Letters', 'Capital letters', 'Numerals (alphanumeric)', 'Patient type', 'Page', 'Gender', 'Questions'.

Constants for character fields are enclosed in single quotes. They may contain placeholders.

The placeholder '?' represents exactly one character, while the placeholder '*' stands for a multiple character wildcard. Placeholders can be inside, at the beginning, and at the end.

Placeholders can only be used for the operators 'equal to' and 'not equal to'.

If constants are to contain the characters '*' or '?', they must be masked with '\'. Single quotes and the marker '\' must also be masked.

Values for the 'in' operator are listed in brackets:

field1 in ('a', 'b', 'c')

The range for the 'between' operator is specified as follows:

field1 between 'a' and 'c'

Date/Time Fields

Type: 'Date', 'Date/Time', and 'Time'.

Constants for date fields have the prefix date. The date is enclosed in single quotes. Notation: YYYY-MM-DD

Example: date1 = date'2016-09-30'

Constants for date/time fields have the datetime prefix. The value is enclosed in single quotation marks: Notation: YYYY-MM-DD HH-MM-SS

Example: number1 = datetime'2016-09-30 11:31:55'

Constants for date/time fields have the datetime prefix. The value is enclosed in single quotation marks: Notation: HH-MM-SS

Example: number1 = time'11:31:55'

The last elements can be omitted gradually so that the clause refers to values independently of these elements.

Example: number1 = datetime'2016'

Decimal/Numeric Fields

Type: 'decimal' and 'integers (numeric)'

Constants for decimal field and numeric fields are not enclosed in brackets.

Examples:

number1 >= 400
number1 between 300 and 400
real1 in (1.2,2.3,3.4)

Variables

The following variables can be used:

#DATE#

Current date

#DATETIME#

Current date and time

#TIME#

Current time

#USER#

Name of the logged-on user

#COMPUTERNAME#

Name of the logged-on computer

#COMPUTERGUID#

GUID of the logged-on computer

#COMPUTERIP#

IP of the logged-on computer

#GROUPS#

Groups of which the logged-on user is a member.

Operator is always 'in' or 'not in'.

#RIGHTGROUP#

Rights groups or name of the logged-in user. The rights group add-on or the rights group control must be assigned to the specified field.

Operator is always 'in' or 'not in.'

Only #RIGHTGROUP# and 'is null' clauses are permitted for the rights group control.

Date information can be subtracted (-) or added (+) to #DATE# and #DATETIME#.

Example: number1 = #datetime#-1y2m3w4d

One year, two months, three weeks, and four days are subtracted from the current datetime.

Example: number1 = #DATETIME#+2m4d

Two months and four days are added to the current date/time.

Empty Fields

Clauses to empty fields are formulated as followed:

field1 is null
field1 is not null

The clause depends on whether null values are allowed in the database.

Owner

A simple clause can be used to assign access only to the user; the owner of the object is:

isowner

Document Properties

Documents can have the properties 'archived', 'approved for archiving', 'not approved for archiving’, and 'checked out' and can be checked out.

These properties can be used for clauses or as a simple clause.

Example: not isArchived

isArchivable

Approved for archiving

not isArchivable is not clear. isNotArchivable must be used.
isNotArchivable Not approved for archiving
isArchived Archived
isLocked Checked out, regardless of whether by the user themselves or by another user.

Clauses with Folder Reference

Clauses on register types and document types can refer to the folder data: The index data fields and basic parameters of the folder type are available in addition to the fields of the register or document type.

Syntax:

folder (folder field operator value)

Clauses for a folder type can be combined:

folder (folder field1 operator value1 operator folder field2 operator value2)

For document types with locations in multiple folders:

folder (folder field1 operator value1) operator folder (folder field2 operator value2)

Combinations of clause with folder reference and clause without folder reference:

folder (folder field operator value) operator object field operator value

Example:

The folder field and object field may not be blank.

folder ([folder field] is not null) and [object field] is not null

Press Ctrl+Space to get input support in the form of a suggestion list.

The access right to one location always includes access to the other locations for documents with multiple locations.

Example of Clauses

In the following example, the right is only assigned to the current user if the user is the creator or if the creator has entered the current user's name into the 'Share with' index data field, given that the date indicated in the 'Release date' field has already been reached or expired.

enaio_pic

The data sheet contains the fields: 'Creator', 'Release date', and 'Share with'. These fields are used in the clause.

Use the expression editor to create the clause. It reads as follows:

[Creator] = #USER# or ([share with] = #USER# and [Release date] <= #DATE#)

The check shows the clause with the current values of the variables #USER# and #DATE#.

Access to User Lists

In certain contexts, users have the possibility to open a list of all users. This includes, for example, in search forms of portfolios and basic parameters, in configuration dialogs of view filters, in configuration dialogs of subscriptions and follow-ups, and in other contexts.

If this is not always desirable or practical, you can restrict the list to those users who are members of at least one of the groups in which the user who opens the list is a member.

To do so, you will need to add the following entry to the \etc\as.cfg file of the data directory:

[MANDANT]HideOthers=1

You can add another line to the section in order that other individual users are included even if they do not share group membership with the current user:

Exclude=Benutzer1;Benutzer2

You disable this function with [MANDANT]HideOthers=0.

Users who are members of the 'Standard' group will always see all users in user lists. Similarly, users who are members of the 'Standard' group in an area of the remote user administration dialog will be shown all other members of the area.
Users with the 'Client: Show system recycle bin' system role are always shown all users in the recycle bin's user list.