Security Manager
All Tequila tasks and modes pass through security without you coding for it, so you can restrict who can execute specific tasks using the built in security manager
Security information is stored in the tables that start with sec_, this table include a lot of data better explained in "the security model"
The visual editor
To simplify security management Tequila includes a visual editor, you can access it by browsing to:
yourapplication/index.php?task=sec_manager
Editor regions
Object / action tree
In Tequila every object is identified using LDAP style name, i.e.
systems.yoursystemname.tasks.yourtaskname.delete
This is translated in the editor in a tree view, where:
1) Each level becomes a branch and it's called an object
2) Modes are called actions
So Actions are executed on objects
Modifying/Adding objects and actions
You can see the available 'actions' that you can do on any node of the tree by:
1) Click on the node you want to edit
2) Click on the link: "Show Actions" on the right side panel
Which objects and actions can I add?
It depends on your application, you can add any, including non-existent objects that you want to check on your code.
Inheritance
Security can be inherited using the LDAP naming, if an object doesn't have an assignment, the security engine try to find it in all parents, i.e.
systems.yoursystem.tasks.view
Every task in this system that has no definition of who can use the view method will inherit from it
My system is empty!
Tequila database ships with only the 'systems' node, just add 2 childs:
systems child with the name of your system (as defined in config)
tasks child of (1)
After this add any task you want to explicitly secure
Securing special objects
In Tequila you can secure any object for example, you decide to secure a region in:
- Task: Customer task
- Mode: edit
- Region to secure: last_action
Object: systems.yoursystem.tasks.Customer.last_action
Action: edit
Then you can use the manager to define who can view this block or who cannot view it.
In order for special setting like this to work, you need to check security from your code simply:
1 global $appname, $sec; 2 $is_authorized = $sec->auth("systems.$appname.tasks.Customer.last_action","edit");
You can also create independent trees, i.e.
system.contentManager.folders.user.inbox
The 'all' action and inheritance order
When you need to secure a task completely (every action) just create the 'all' action, Tequila will try to solve security as:
Specific object + specific action
Specific object + all
Parent object + specific action
Parent object + all
Cycle all parents till systems
Return global security setting from config
Setting security
Once you have created your objects and actions you can define who can use them, Tequila supports 4 types of security
Strict: The user that has all keys (belong to all categories) only
Loose: The user that has any of the keys (belong to any of the categories)
Deny Strict: Opposite to Strict, user that has all the keys is rejected
Deny Loose: Opposite to Loose, user that has any key is rejected
This allow you to have really powerful combinations like:
Level: Manager
Project: ABC
Country: UK
* You can read more on "Security model page"
Security groups
Groups allow to define many series of rules, following the previous example,
User 1, is the UK manager of Project ABC
Now we need to provide access to developers & leaders in Vietnam
User 2 is:
Level: - Not set - (means all)
Project: ABC
Country: Vietnam
Adding Clasifiers and Categories
Clasifiers are ways to split your users,
Categories are the actual groups of users.
i.e.
Clasifier: Country, Level, department, branch, gender, age
Category, the actual countries or departments, etc...
You should try to represent your organization / users / roles in Tequila security for best results
Page return an error message
If you get the message:
Security is configured incorrectly and is running in cycles, please set proper permissions for notauth
This means, you lock yourself out of the system and the sec_manager cannot be accessed nor the notauth page (defined in config) nor the login page (defined in config also)
Try rolling back your last security setting, or adding this entries to the db and approve your user.