Changes
== User rights ==
There is no fully prepared feature a programmatic framework for user- or group-specific rights in {{UBIK}}that is highly customizable. HoweverCurrently, {{UBIK}} requires you can customize to add some logic for the evaluation of user rights and their execution., so get ready to do some coding!
=== Defining rights ===
First, it will be necessary to define what rights there should be. In general, it should be possible to control whether a user is allowed to view ("read"), edit ("write"), create and delete data. Creation and deletion rights usually can be subsumed into the right to manipulate ("write") data. Fortunately, there is already an enum ''UBIK.Kernel.UserRights'' describing the three possible rights and mapping them to integer values:* NoRight = 0* Read = 10* Write = 20So, nothing for you to do yet.
=== Configuring rights ===
So we have the basic definitions for reading and writing. Now we have to apply them to use-cases, respectively, objects and users (or better, groups). E.g., if it should be possible to control the rights for editing an object's properties, one could relate the respective user group to the object and set the right on the relation data object. Then, the group is related to the target object, with the respective right as a property of their relation connection.
The next steps will be to create a [[Relation]] with a custom relation data meta class defining a property for the rights configuration:
# Create a new [[Relation]] plus relation data meta class.
# The left target meta class should be any object (i.e., ''BASECLASS''), whereas the right target meta class should be ''USERGROUP'' or ''LOGIN'', depending on whether you're using groups or not.
# Add a new [[MetaProperty]] for the user right to the relation data meta class, e.g., ''MP_USER_RIGHT''. It should be an integer property, so we can store values from the ''UserRights'' enum in it.
Now you have the possibility to describe rights between users (respectively, groups) and any object, just by creating a relation between them and setting the respective right on the relation data instance.
=== Evaluating rights ===
Now that we have defined and configured rights, we have to evaluate them. Assuming, This can be done by customizing the methods ''CustomGroupRights'' and ''CustomPropertyGroupRights'' for any meta class. ==== Controlling the visibility and editability of objects ====# Find the meta class of objects you want to control the user rights for .# Customize its method ''CustomGroupRights''.# Find relation instances between the current object (mobileor its meta class) applications, this is best done by customizing and user groups.# Read the ACM viewcustom rights from the relation data objects connecting the target object and a user group. [[View_Item|View Items]] provide methods for delivering children# For each combination, as well as for adding create a new instance of ''UBIK.Service.DTO.V240.GroupRight'' and removing childrenassign both the group and the right. These can be overwritten in order # Add all ''GroupRight'' instances to evaluate a result list and return it.{{UBIK}} will take care about the rest, i.e., applying the rights . ==== Controlling the visibility and editability of properties ====This works basically the active login regarding same way as for whole objects, just with a use-casedifferent method to override:# Find the meta class of objects you want to control the rights for. [[Query|Queries]] also can be customized # Customize its method ''CustomPropertyGroupRights''. Note that there is a parameter ''metaPropertyName'', so this is about a specific property.* Now it becomes interesting, because you have many options depending on the degree of detail you want to control the property rights for:* '''On meta class level''': If the rights for every property are the same for all instances of a meta class, but differ by user, you should evaluate the relation between the meta class and the user group.* '''On meta property level''': If the rightsfor a property are the same for all instances of a meta class, but differ by meta property and user, you should evaluate the relation between the meta property and the user group. The [[Context]]If a meta property is used on multiple meta classes with different rights, which decides you may have to evaluate the best scope (ACM relation between: A) the relation between meta definitionclass and meta property and B) the user.* '''On content object level''': If the rights for an every property are the same for the same content object delivered to , you should evaluate the clientrelation between the object and the user group.* '''On property level''': If the rights for a property depend only on the user, you should evaluate the relation between an attribute on the property and the user group. (An attribute is needed because you can also be customized - e't relate a property to anything).g# Read the custom rights from the relation data objects connecting the target object and a user group.# For each combination, in order create a new instance of ''UBIK.Service.DTO.V240.GroupRight'' and assign both the group and the right.# Add all ''GroupRight'' instances to provide meta definitions with different property read/write a result list and return it.{{UBIK}} will take care about the rest, i.e., applying the rights depending on . {{Attention|Rights are evaluated by the server; so for the mobile client, there is no offline support for the dynamic evaluation of user grouprights yet (when this article was created).}}
