As described in the introduction, domains are used to segregate data. Even the simplest implementation has separate domains for the schema, system administration, and instantiated data items. Some domains must always be accessible. For example, all users require access to the schema. To facilitate this, there is a dependent domain relationship to make role configuration more straightforward because the administrator may not be aware of the internal domain dependencies. For example, the HxGN SDx domain is dependent on SPFREFERENCE, which is dependent on ADMIN, which is dependent on SCHEMA.
Domains control user access in the following manner:
-
Objects are created in a specific domain as dictated by the class definition componentization shown at the top of the following model diagram.
-
A user cannot see objects in a domain to which they do not have access.
-
Domains can be used to restrict user access to the data in a given domain.
-
Domains do not control access to commands. The domains are configured on the role/access group relationship as described in the sections that follow.
As described in the introduction, owning groups provide a mechanism for owning objects. The owning groups to which a user has access are those configured on the role/access group relationship as described in Object ownership.
ISPFRole interface
ISPFRole is the primary interface of the SPFRole class. Roles are related to each other in a hierarchy to control who can assign users to which roles. For a user to be able to assign users to a role, the user must have access to the role assignment method, and the user must be in a role that manages other roles.
Functionality configured on ISPFRole
Basic commands such as Terminate, Copy, Update, and Edit Relationships are configured on this interface.
Manage Access Groups is provided to make it easy to configure the role/access group relationships.
ISPFAccessGroup interface
ISPFAccessGroup is the primary interface of the SPFAccessGroup class.
SPFAccessGroupConfigStatus relationship definition
The SPFAccessGroupConfigStatus relationship to the SPFConfigurationStatus object is used to control when this access group is applicable during the lifecycle of a configuration, such as a project. When a user sets the create configuration the user is working in, the status of that configuration is used to determine which access groups are applicable. For example, an access group controlling interactive commands like Update and Delete would only be valid for an active project.
Functionality configured on ISPFAccessGroup
Basic commands such as Terminate, Copy, Update, and Edit Relationships are configured on this interface.
ISPFClassDefAccessGroup interface
ISPFClassDef AccessGroup is used to control user and role access to create, read, update, and delete database operations. When the properties are set on the interface, you can restrict an access group to the commands using the SPFClassDefAccessGroup relationship definition.
ISPFRelDefAccessGroup interface
ISPFRelDef AccessGroup is used to control access to create, read, update, and delete database operations. When the properties are set on the interface, you can restrict an access group to the commands using the SPFRelDefAccessGroup relationship definition.
ISPFDataAccessGroup interface
ISPFDataAccessGroup is the primary interface of the SPFDataAccessGroup class.
Functionality configured on ISPFDataAccessGroup
Basic commands such as Terminate, Copy, Update, and Edit Relationships are configured on this interface.
ISPFRoleAccessGroup interface
ISPFRoleAccessGroup is a link interface for the SPFRoleAccessGroup relationship. This link interface has the relationship definitions (RelDefs) to the data access group and domains. Details of this relationship are given in the next section.
SPFRoleAccessGroup relationship definition
The SPFRoleAccessGroup relationship links the message access groups to the role. Domains and data access groups are identified on this relationship. They are configured by using Edit Relationships on the role or data access group.
The following very important rules apply to these relationships:
-
Relating a domain restricts the use of that access group to data in that domain.
-
Multiple domains can be related (dependent domains are automatically traversed, so only the top level needs to be related).
-
The domain relationship is used to identify the set of query domains for a role. That is, the set of query domains is the complete set of domains found on a role's access group relationships.
-
At least one domain must be related to at least one role/access group.
-
If a domain is not related to a role/access group, this restricts the role/access group from accessing the objects in any domain.
-
Relating an owning group potentially restricts the use of that access group to data in that owning group. This is enabled on the access group/method relationship. This is only tested on methods using an updating client API.
-
Multiple owning groups can be related (no group dependencies)
-
No related owning group is equivalent to relating all owning groups; that is the access group is applicable on all data in all owning groups.
SPFDomainDomainGroup relationship definition
The SPFDomainDomainGroup relationship links the domain to the domain group, which has a mapping to a set of database tables via the table prefix property.