<< Click to Display Table of Contents >> NShape Concepts
|
NShape has a built in permission system that can restrict the end user's access to the framework's functionality. The basic concept relies on attributes set for restricted properties and commands that require certain permissions. As the security concept is meant for end users, not for the application developer, the setters of properties are not affected by the security system. Your code can manipulate all NShape objects without any restrictions.
NShape is shipped with a default ISecurityManager implementation, the RoleBasedSecurityManager. You are free to implement your own access restriction system but for most scenarios, the built in solution should be sufficient. So let's have a closer look.
As the name says, the role based security manager relies on roles for the users. Your application can assign these roles hard coded or dependent on the user's password, just as you need. The point is, that you are able to define a set of permissions for each user role. E.g. a supervisor user would typically have (more or less) full access to the editing capabilities whereas a designer user typically can modify the diagram's appearance but may not delete or insert shapes. An operator user would typically be able to load and view diagrams but may not modify the diagrams.
In order to archive a higher level of customizability, you can create up to 26 different sets of access restrictions for each user role. These subsets are called security domain and are identified by an uppercase letter from A to Z.
Each class implementing ISecurityDomainObject (typically shapes and diagrams) can be assigned to such a security domain. This way, you can limit access to certain shapes (e.g. shapes created by your application, shapes representing a wiring scheme, etc) while enabling the user to modify other shapes (e.g. annotation text shapes added by another user or the 'cable' shapes of a wiring scheme).
The required permissions can be sorted into categories which represent the basic actions users can perform. There are general permissions that stick to the user's role and domain specific permissions that belong only to a certain security domain.
General Permissions:
Name |
Description |
Design |
|
ModifyPermissionSet |
Same as Security. Obsolete in NShape 2.0 |
Security |
Assign a security domain any ISecurityDomainObject. This permission is security domain independent. Available only in NShape 2.0 |
Templates |
Edit, insert and delete templates. This permission is security domain independent. |
Domain Specific Permissions:
Name |
Description |
Connect |
Connect or disconnect shapes. This permission depends on the active shape of the connection. |
Data |
Modify data properties. This permission depends on the ISecurityDomainObject to modify. Available only in NShape 2.0 |
Delete |
Remove shape from diagram. This permission depends on the ISecurityDomainObject to remove. |
Insert |
Insert shape into diagram. This permission depends on the ISecurityDomainObject to insert. |
Layout |
Modify position, size, rotation or z-order of shapes. This permission depends on the shape to modify. |
ModifyData |
Same as Data. Obsolete in NShape 2.0 |
Present |
Modify the appearance of the shape (color, line thickness etc.) and assign another style. This permission depends on the shape to modify. |
Since NShape 2.0, you can specify whether a restricted property is only readable or not accessible at all through SecurityAccess:
Granting a permission with the option SecurityAccess.Modify, the property can be modified as usual. Granting a property with the option SecurityAccess.View, the property will be shown in the property editor but it cannot be modified.
Context menu items and properties that cannot be used / modified due to permission restrictions can also be hidden from the user:
The PropertyController.PropertyDisplayMode property specifies the visibility of properties in the property editor.
The HideDeniedMenuItems property of the presenter components Display, LayerPresenter, LayerListView, ModelTreeViewPresenter, ToolSetListViewPresenter and ToolSetToolStripPresenter specify the visibility of restricted menu items.
ISecurityDomainObject Interface