Security NameSpaces

You may subdivide security accounts into name spaces. This is required when using Realm Filtering. When namespaces are in use, the Sign in dialog will query users for their group name as well as their user name and password. Namespaces are therefore sometimes referred to as security groups.

A given namespace can be associated with one or more tag Area properties. The result is that the users belonging to that security group will only be able to access the tags belonging to the assigned areas. This functionality can be organized using security name spaces in combination with realm filtering (security name spaces on their own are not sufficient to segregate user data). For example, you may use security name spaces and realm filtering together in applications where you must restrict sets of users to specific sets of pages or subsets of data, and where managers or administrators must be able to oversee their own user base, but should be unaware of any other end-users.

Two variables in the Settings.Dynamic <SECURITYMANAGER-ADMIN> section are associated with security name spaces. These are:

<SECURITYMANAGER-ADMIN>
NameSpaceDelimiter =
GroupLogin =

Set GroupLogin to 1 to enable group logins, and NameSpaceDelimiter to one or two characters that will be used as the delimiter. A colon ":" is commonly used as the delimiter.

NameSpaceDelimiter

The NameSpaceDelimiter application property enables you to specify the character (or characters) you wish to be used by managers setting up security groups. The recommended characters for NameSpaceDelimiter are two colons, however, you may use any characters you deem appropriate. The assigned character (or characters) must then separate the name of the security group from the username of the user belonging to that group when a new security account is added to your application.

The following image displays the Add Account security dialog when a group is being specified for a new user. As you can see from this example, a colon has been assigned as the NameSpaceDelimiter.

GroupLogin

The GroupLogin application property enables you to add a third field to the Sign in dialog that opens when the Sign in button in the Display Manager's title bar is clicked. This third field is the Group field, which enables users to specify the group to which their user account belongs when they logon to an application. To include the Group field in the Sign in dialog, you must set GroupLogin to 1.

The following image on the left displays the Sign in dialog when GroupLogin has been set to 0 (its default value), while the following image on the right displays the Sign in dialog when GroupLogin has been set to 1.

 

When signing in, users must enter the name of the security group to which they have been assigned in the Group field.

A super user (one who has not been assigned to any group) may leave the Group field blank, and can logon as they normally would, by entering their username in the Username field, and their password in the Password field.

Super users cannot sign in via the VIC unless extra configuration is done as follows: 

  • The RootNamespaceSettings.Dynamic variable has to be set to a value for the super user realm, which is different from all other configured realms. The value of RootNamespace must not match any defined security realm.
  • That realm must be configured in the Internet settings dialog with the required application listed.

The URL used to sign in becomes "http[s]://servername/superrealm" where superrealm is the name assigned to RootNamespace and configured in Internet settings. A super user can then sign in using their (non-namespace) username and password

If security realms are enabled, managers who are members of a realm can see only those accounts and roles that are within the same realm.
If using security realms, it is important that you keep one manager account with no realm membership.