Introduction

Authorization System

Newly Created Users

---

 Planning an Authorization System

Before we start to explain details about where rights can be specified, this document lists some basic matters about right assignment.

The following tips and tricks serve to support you in setting up your own authorization system:

• Start developing the structure of your authorization system immediately after installation and before creating the first objects.
• Write down areas to be administered by your AE system. As an AE system consists of individual clients which are not connected to each other, large areas should be administered from extra clients. Highly sensitive areas can so be excluded and access only be granted to particular users.
• Agent rights are also defined on client level. You can decide for which client an agent is assigned and for which activities it can be used.
• Additional partial areas can be defined within clients. As rights are assigned via object names, a coherent naming convention is extremely important. Administration becomes easier and the risk of accidentally assigning too many rights can be minimized.
• A naming convention can be based upon execution processes that should be handled by AE. Names can include task areas, computer names, operating systems or company-internal terms. Administrative rights can exclusively be assigned to objects whose names start with "ADMIN", for example.
• Users play a crucial role in an authorization system. They should be administered via user groups as this saves time, is more comprehensible and significantly increases your AE system's safety. Authorizations that can be assigned to users are available in the form of rights for objects and privileges for UserInterface functions (e.g. access to Transport Case).
• Folders are objects and therefore rights can be assigned to them. Nevertheless, specifying folder rights does not prevent access to objects stored in them. A user who is not allowed to access a particular folder could still access an object of this folder (e.g. if it is used in a workflow. The "Edit" command is available from almost anywhere, hence also in  workflows). Therefore, objects that should not be accessed by particular users should also be protected.
•  Exclusively assign rights referring to object names and types.