Security Manager

All Tequila tasks and modes pass through security without you coding for it, so you can restrict who can execute specific tasks using the built in security manager

Security information is stored in the tables that start with sec_, this table include a lot of data better explained in "the security model"

The visual editor

To simplify security management Tequila includes a visual editor, you can access it by browsing to:

yourapplication/index.php?task=sec_manager

Editor regions

Object / action tree

In Tequila every object is identified using LDAP style name, i.e.

systems.yoursystemname.tasks.yourtaskname.delete

This is translated in the editor in a tree view, where:

1) Each level becomes a branch and it's called an object

2) Modes are called actions

So Actions are executed on objects

Modifying/Adding objects and actions

You can see the available 'actions' that you can do on any node of the tree by:

1) Click on the node you want to edit

2) Click on the link: "Show Actions" on the right side panel

Which objects and actions can I add?

It depends on your application, you can add any, including non-existent objects that you want to check on your code.

Inheritance

Security can be inherited using the LDAP naming, if an object doesn't have an assignment, the security engine try to find it in all parents, i.e.

systems.yoursystem.tasks.view

Every task in this system that has no definition of who can use the view method will inherit from it

My system is empty!

Tequila database ships with only the 'systems' node, just add 2 childs:

    1. systems child with the name of your system (as defined in config)

    2. tasks child of (1)

After this add any task you want to explicitly secure

Securing special objects

In Tequila you can secure any object for example, you decide to secure a region in:

- Task: Customer task

- Mode: edit

- Region to secure: last_action

Object: systems.yoursystem.tasks.Customer.last_action

Action: edit

Then you can use the manager to define who can view this block or who cannot view it.

In order for special setting like this to work, you need to check security from your code simply:

1 global $appname, $sec; 2 $is_authorized = $sec->auth("systems.$appname.tasks.Customer.last_action","edit");

You can also create independent trees, i.e.

system.contentManager.folders.user.inbox

The 'all' action and inheritance order

When you need to secure a task completely (every action) just create the 'all' action, Tequila will try to solve security as:

    1. Specific object + specific action

    2. Specific object + all

    3. Parent object + specific action

    4. Parent object + all

    5. Cycle all parents till systems

    6. Return global security setting from config

Setting security

Once you have created your objects and actions you can define who can use them, Tequila supports 4 types of security

    • Strict: The user that has all keys (belong to all categories) only

    • Loose: The user that has any of the keys (belong to any of the categories)

    • Deny Strict: Opposite to Strict, user that has all the keys is rejected

    • Deny Loose: Opposite to Loose, user that has any key is rejected

This allow you to have really powerful combinations like:

Level: Manager

Project: ABC

Country: UK

* You can read more on "Security model page"

Security groups

Groups allow to define many series of rules, following the previous example,

User 1, is the UK manager of Project ABC

Now we need to provide access to developers & leaders in Vietnam

User 2 is:

Level: - Not set - (means all)

Project: ABC

Country: Vietnam

Adding Clasifiers and Categories

Clasifiers are ways to split your users,

Categories are the actual groups of users.

i.e.

Clasifier: Country, Level, department, branch, gender, age

Category, the actual countries or departments, etc...

You should try to represent your organization / users / roles in Tequila security for best results

Page return an error message

If you get the message:

Security is configured incorrectly and is running in cycles, please set proper permissions for notauth

This means, you lock yourself out of the system and the sec_manager cannot be accessed nor the notauth page (defined in config) nor the login page (defined in config also)

Try rolling back your last security setting, or adding this entries to the db and approve your user.