= DrawMGT - Security Exceptions = * 2011.04.15, AH&TN <> = Introduction = DrawMGT ''Security Exceptions'' can be used to grant '''read''' access to comments/tasks and revisions, to users would not normally have access, given their normal user roles. Security exceptions must be used carefully, because they bypass the normal access rules. The exact rules governing the comment/task types and link types to which security exceptions can be applied, are defined in the system configuration and are documented below. The prerequisites for granting a security exception are: * The target users, to whom access is to be granted, have valid logins in any contract * The comment/task is not obsolete and has specific type * The revision is linked, with specific link type, to a comment/task with specific type * The user is on the subscriber list of the comment/task The list of link types is defined in the system configuration. For the ''Linthal'' project they are: 1. Comment/task type: '''AUBE''' 2. Link type: '''all''' = User Procedure = == Creating a Security Exception == There are two ways to create a security exception. 1. Creating a security exception to grant access to a single revision: * In the Document Detail screen, push the button 'New Comment' at the bottom of the screen, then select appropriate link type, typically !SecExp. * Enter the new comment/task and assign appropriate type * Add the desired users to the subscriber list of the new comment/task. 2. Creating a security exception to grant access to multiple revisions: * Place all the desired revisions in the document basket * Create a new comment/task with the appropriate type (typically KOOR) * Add the desired users to the subscriber list of the new comment/task * Link the document basket to the new comment/task, selecting the appropriate link type (typically !SecExp) == How To Use Security Exception == If a user is granted access to comments/tasks or revisions via a security exception, he will not be able to view any of these items in search results or document or task lists. The comments/tasks are visible to the user only via the URL contained in the automatically generated email sent to the user as a subscriber to the comment/task (''Note: this statement must be confirmed''). The revision itself can only be viewed via the link in the list of documents attached to the comment/task. = System Configuration = The security exception configuration has two parts: 1. Configuration of the list of comment/tasks types to which security exceptions can be applied 1. Configuration of the link types to which security exceptions can be applied The definitions can be configured include one, multiple or all types. This means that it is possible to completely disable security exceptions, or allow security exceptions to function over all comment/task and/or link types. The ''Linthal'' project has a strict definition where one must define both a specific task/comment type (KOOR) '''and''' a specific link type (!SecExp). == Configuring Security Exception Comment/Task Types == The setting $_CFG[ '!SecurityException' ][ '!CommentTypes' ] determines the comment/task types required for the security exception. E.g. the following setting allows only comment/task type "'''KOOR'''" involved in security exception: {{{ $_CFG[ 'SecurityException' ][ 'CommentTypes' ] = array( CommentTypeRef_KOOR ); }}} The '''default''' setting is an empty array, which means '''no security exceptions''' are allowed. The example above is from the '''Linthal''' project site settings. == Configuring Security Exception Link Types == The setting $_CFG[ '!SecurityException' ][ '!RefTypes' ] determines the reference types required for the security exception. E.g. the following setting allows only reference type "'''!SecExc'''" to be user to grant security exceptions: {{{ $_CFG[ 'SecurityException' ][ 'RefTypes' ] = array( ReferenceTypeRef_SecExc ); }}} The '''default''' setting is an empty array, which means '''all link types allow security exception'''. The example above is from the '''Linthal''' project site settings.