Appendix B: Task Access

The advantage of having functions such as 'Create Object', 'Read Object', 'Update Object' and 'Delete Object' in separate tasks or transactions is that it becomes a very simple matter to grant or deny access to individual functions simply by setting or unsetting a switch on the Menu database. This means that all security checking can be performed in the menu system before a transaction is activated rather than within the transaction itself after it has been activated.

The list of Tasks which a User is allowed to access is known a Security Profile, Access Profile or Access Control List, and is held on the ROLE-TASK table within the Menu database, as shown in Figure 1. Access Profiles are not created for individual Users, they are created for Roles. Each User must belong to one of these Roles, so by changing the Access Profile for a Role you effectively change the Access Profile for all Users of that Role.

Figure 1 - Database structure

There are two ways of viewing and maintaining the contents of the ROLE-TASK table:

• From screen List Roles use the navigation button labeled 'Task Access' to bring up screen Link Task to selected Role. This will allow you to grant or deny access to individual Tasks for that Role.
• From screen List Tasks use the navigation button labeled 'Task Access' to bring up screen Link Role to selected Task. This will allow you to grant or deny access to individual Roles for that Task.

This Access Profile is used in two places:-

• Within the menu bar so that tasks which are not in the Access Profile can be excluded from the display and therefore cannot be selected.
• Within the navigation bar for any task so that any child tasks which are not in the Access Profile can be excluded from the display and therefore cannot be selected.