XEO Security/Permissions

The XEO framework has a set of bult-in security/permission system to make it easier to develop your applications. There are three types of securities/permissions in a XEO Application, listed as follows:

• Object Model Permissions (Permissions)
• Object Policy Labelling (Security)
• Viewer Permissions (Permissions)

Object Model Permissions - Policies

Object Model Permissions allow you to define a system of permissions around Object Models. You can define that only a certain "set" of people can create/edit/delete instances of a certain object model, or only a certain set of people can see a particular attribute in an Object Model, or execute a given method in that Object Model.

This allows you do define a rule such as "Only the Managers group can see the "Total Project cost" in a given Project (assuming there's a group representing the managers, and a "Project" Object Model with an attribute representing the total cost of the project).

A Policy is an instance of the system Ebo_Policy Object Model which has a name and a description attribute and includes a collection attribute ( rules) which are instances of the Ebo_PolicyRule Object Model. The Ebo_PolicyRule Object model is the key factor here, as each instance of of Ebo_PolicyRule defines the regular name and description attributes but also the type of rule (which can be "Read, Write, Delete, Execute and Create") it is and which groups (instances of Ebo_Group) can make that action.

In XEO Application, if no policies are defined (the default for a new application), every user can perform every action (Read, Write, Delete, Create and Execute) over every Object Model, Attribute and Method.

Important Notice: Policies are not hierarchical, i.e. if a user can delete instances of a certain Object Model it does not mean he can create new ones, or edit existing ones.

If a given action over a certain Object Model/Attribute/Method is not defined, every user can performa that action. Example: If the "CREATE" action of Object Model "A" is allowed only for users of group "B", only those users will be able to create an instance of A, but every user will be able to read, edit, delete and execute instances/attributes/methods of A.

__

Object Policy Labeling (Security)

Object Policy Labelingis a way to declare security

Viewer Permissions (Permissions)

Viewer Permissions is a feature similar to Policies, but applied to Components inside a viewer. To declare Viewer Permissions you'll have to select a specific viewer, search for the component where you want to declare permissions and add a new Access Policy (which includes choosing the action Read, Write, Delete, Execute, Add and/or Full Control) for a specific user/group/role.

Important Notice: Not all actions apply to every component. For example to a xvw:menu component only an "Execute" action will apply, while to a xeo:bridge component the "Add", "Delete the actions will apply.

Viewer Permissions are, contrary to Object Model Policies, hierarchical. If a user has full control permission over a given component it will have read, write, add, delete and execute permissions over the component.

To define a viewer permission you must go the Administration page of a XEO Application.

__