Security system. Overview
Security in DWKit
Main DWKit security objects are:
- User - system user. You can set a login/password pair or domain login for user, this will affect authentication type. User can be included into User group and have one or several Roles.
- User group - combines users to assign roles. It works faster than assigning roles to each single user.
- Permissions group and Permissions - object containing Permissions. Permissions values (inherited,allow,deny) are defined in Roles. You can bound each form to one of the permission groups and set form view and data editing rights.
- Role - role is the place where specified values (inherited,allow,deny) are assigned to Permissions. These values allow you to check if user has access to certain resources.
Storing Security objects in DWKit
All Security objects are stored in database in
Editing Security objects in DWKit
All Security objects are edited in the Security section of the admin panel.
Setting access to forms
If we do not wish to restrict access to form (i.e. form will be available to all signed in users), we do nothing. This system behavior is set as default. If we want to restrict access to form for certain users, we need to stick to the following algorithm:
- Create group of permission for form.
- Create at least two 'View' and 'Edit' permissions in this group.
- Bind permission to form. Read more about it here.
- Open access to form via roles. Read more about it here.
Authentication types supported by DWKit
DWKit supports three authentication types:
- Login and password. Login and password hash are stored in database. You can set login and password on the user edit form.
- Domain authentication. Only domain login is stored in database. User check is performed via domain addressing. You can set domain login on the user edit form.This method will only work if DWKit is hosted on a Windows machine. In case DWKit is hosted on a Linux machine, but you want to use domain authentication use external authentication providers.
- Identity Server - uses OpenId for authentication, supports a wide range of Identity Providers, such as Google, Facebook, domain authentication, etc. See more information in this section.
You can import users and user groups via LDAP. To do this, follow this algorithm:
- Import users and user groups.
- Bind DWKit roles to imported user groups.
- From now on, imported users will be assigned roles depending on groups they belong to.
Import via LDAP can be performed both manually and automatically according to set timer intervals. Read more about these settings here.