Administration

The menu item [Admin]->[User/Groups]->[Administration] allows the administration of the users and groups entered in LIMBAS. The user or group is selected via the tree view or the search function.

LIMBAS Rights System

For the assignments of rights in Limbas applies:

• A user without group affiliation has no rights. A user is granted rights only by belonging to one or more groups.
• Groups can have subgroups. A subgroup can only have the same or fewer rights than the one above. Recursive rights (obligations) are automatically assigned to the subgroups.
  • For the following functionalities, a table right or recursive right can be granted:
    • Rights:
      • View Record (see see)
      • Create Record (see create)
      • Delete Record (see delete)
      • Edit Record (see edit)
      • View versioned Records (see show all versioned records)
      • Archive Records (see archive)
      • Time-unlimited blocking of records (see unlimited block)
      • Manage user rights for all records(see Manage user rights for all records)
      • Manage user rights for self-created records (see Manage user rights for self-created records)
      • Inherit user rights hierarchically (see Inherit user rights hierarchically)
      • Copy the table field contents when copying a data record (see possible to copy)
    • Recursive Rights (Obligations):
      • Mandatory entry in a table field (see Mandatory Entry)
      • Mandatory versioning when changing a table field if automatic versioning is set (see versioning)
  • For the following functions a file right can be granted:
    • See files
    • Add files
    • Create folder
    • Edit metadata
    • Delete folders/files
    • Lock files
  • For all menu items entered under [Admin]->[Setup]->[Menu Items], a menu right can be given.
  • For the following functions a report/form right can be granted
    • Call from the menu (see Report/Form Rights)
    • Hidden call (see Report/Form Rights)
• A user with administrator rights can only admin the data for which he himself is in his main group (see Main Group / Sub Group) is authorized. For example, a table to which he has no read permission is not displayed to him at all.

Likewise, he can only assign other users the rights he owns through his main group.

LIMBAS only allows settings that comply with these rules:

• If a table field in a parent group does not have a right, that right can not be granted in the subset. The gray checkbox for the grant of the right can not be activated with a mouse click.
• If a table field in a super-ordinate group has a recursive right (obligation), this recursive right in the subgroup can not be deleted. The gray checkbox for granting the right can not be deactivated by mouse click.
• If a parent group is deprived of a right, it is automatically deleted from all subgroups.

The super administrator with user ID 1 (in the case of LIMBAS installation, he is set up with the user name “admin”) from the group “admin”, ID 1 is an exception in compliance with the rules:

• He can manage all the data, even if he himself or another user with administrator rights has actually denied him the right to do so. This eliminates the risk of accidentally locking yourself out of the system.
• It can assign more rights to a subgroup than the parent. He can do this by assigning a single right or by changing the parent group (see Main Group) of a group. It is his responsibility to comply with the rules in order to ensure a manageable system or to be responsible for meaningful exceptions.
• He can not be deleted. Only the user name can be changed.
• If a new user is created with the super-admin indicator, he will receive the same rights as the user “admin” set up during the installation.

Tree View

The tree view shows all users entered in LIMBAS and their assignment to the groups.

• Clicking on a user symbol or a user name displays the corresponding user data (see User Data) to the right of the tree view.
• When you click on a folder symbol of a group, a list with the users assigned to this group is displayed to the right of the tree view (see Search).
• By clicking on a group name, the corresponding group data (see Group Data) are displayed to the right of the tree view.

Search

When you click on “Search”, a list with the users that match the search criteria is displayed to the right of the search mask.

• User: By clicking on a user name of this list, it will be replaced by the display of the corresponding user data.
• lock: see lock
• Debug: see Debug
• History: see History
• Statistics: see Statistics
• show all user/active users/blocked users/deleted users: By setting the corresponding radio button, only the users that match the search criteria and this additional filter will be listed.
• send credentials: The users selected with the checkbox in front of the user name will be informed by e-mail about their valid login information in LIMBAS.

User Data

The user data is stored in the LIMBAS system table “lmb_userdb”.

User Data

• user-id: Unique identification of the user given by LIMBAS.
• Username: Unique identification of the user (min. 5 characters) with which the user logs on to the system. If the user name is to be changed, a new password must be assigned at the same time.
• Password: password of the user (min. 5 characters): Existing passwords are not displayed. The text input field only shows keystrokes and is used to change the password. By clicking on the symbol to the right of the text input field, LIMBAS suggests an eight-digit password. Passwords are stored in LIMBAS md5-encrypted. Only if the environment variable “clear_password” is set accordingly, passwords are also stored in readable format (see clear_password).
• First Name/Name: LIMBAS informs on the user interface which user is currently logged in. In addition, various actions, e.g. creating a form, the user logged. The corresponding display requires the first name and name of the user.
• E-Mail: The e-mail address is required to enable the sending of LIMBAS generated e-mails (for example, if the user data is changed by a user with administrator rights).
• Description: The description of the user provides the opportunity to record further information about the user. LIMBAS does not further process this information.
• Main Group / Sub Group: Various rights of the user are determined in LIMBAS by the membership of the groups (see Group Data). Each user is associated with at least one group, its main group. But he can also be a member of other groups and thus possibly receive additional rights.
• IP-range: Authorized IP addresses and/or IP address spaces for accessing the LIMBAS installation. Multiple IP addresses/address spaces can be entered separated by spaces or a line break.
• Color Code: Color in hexadecimal notation used to recognize a user, e.g. for use within its own extension for highlighting user-specific objects, e.g. Calendar entries.

General Settings

• Password valid until: After expiration of the password, the user is no longer authorized to log in to LIMBAS. If the user is to have unlimited access, this entry must be left blank or deleted.
• Allow password change: Specifies whether the user under [Profile] -> [Profile] -> [Settings] is given the opportunity to change his password.
• Session Lifetime: The user’s session persists even after the browser has been closed for that time. As a result, the settings of a session are retained over several starts of a browser. This can speed up logon for large amounts of data since the session does not have to be reinitialized after restarting the browser. The requirement is that the user does not actively log out and that the browser does not delete cookies.
• Log-Level: The log level defines whether no actions (0 (only create / copy / delete records)), only changes to table contents (1 (DB actions only)) or all actions (2 (complete logging)) should be logged (see History).
• Language: The language setting for the user interface is individual for each user. The different languages can be provided under [Admin]->[Setup]->[Language]. If a language is set for which there are open language entries, so for which not all texts are translated, these untranslated texts are displayed in another available language.
• Date Format: Time and dates are displayed in the selected format.
• Time Zone: Time and dates are displayed in the selected format. Valid values for the time zone can be found under time zones. It should be noted that the set time zone must be supported by the system running LIMBAS.
• Local Settings: The formatting of country-specific date, currency and number formats is determined by the local setting. It should be noted that the registered local setting must be supported by the system running LIMBAS to obtain the desired display. (see setlocale)
• Color Scheme: The colors of the user interface are determined by the set color scheme. The different color schemes can be provided under [Admin]->[Setup]->[Scheme].
• Layout: The position and size of UI elements are determined by the layout that has been set. The different layouts can be provided as described under Layout.
• max. number of hits: The maximum number of table entries that are shown without break can be set individually for each table. If there is no individual setting, the value entered here is used.
• max. upload size: The user may only upload files up to the specified size.
• Lock Message: Note that is displayed to the user when he is locked (see lock).

Actions

• lock: Locks the user for whom a text (for example, an indication of the reason for blocking) can be displayed (see Lock Message).
• Debug: Toggles the output of LIMBAS error messages in the browser on/off. ODBC errors are logged regardless of this setting (see [Admin]->[Tools]->[Error Report]).
• Static-IP: During a session, does not allow changing the IP address (through dynamic IP address assignment) used to access the LIMBAS installation.
• Sessionrefresh: A reset is performed for this user.

• History: For displaying the history, a new window with three tabs opens.
  • Login: All sessions of the user in the selected period are logged with start time (login), end time (logout), duration and host (IP address) of the logon (LIMBAS system table “lmb_history_user”).
    
    Since there is no explicit logoff when the browser is closed, the end time is the time of the last action of this session. Re-login operations of a session that persist across multiple browser launches (see Session Lifetime) are not considered here.
  • Action: The logged actions (see Log-Level) of the user in the set period are listed with a time stamp, table name and record ID, if applicable. It can be set whether all actions (Level 2) or only changes to table contents (Level 1) should be taken into account.
  • observe: Every 30 seconds, the actions (level 2) of the user are updated.
• Statistics: For the display of the statistics, a new window opens, in which it is shown in calendar form when the user was logged in to the system. You can switch between day, week, month and year view. In the day view, clicking on the active time additionally opens the history window (see History).
• Send infomail to user: The user will be informed by e-mail about the changes made.
• change: Settings, changes and actions are saved, activated and/or performed in the database.
• delete: The user is deleted.
  • incl. user directory: Only if this option is set will the personal directory be deleted when deleting the user, otherwise it will remain.
  • delete completely: Only if this option is set will the user be completely deleted, otherwise it can be reactivated and the actions he has performed remain known in the system.

Group Data

general

• ID: Unique identification of the group awarded by LIMBAS.
• Group: Unique name of the group
• Description: The description of the group offers the possibility to note information about the group. LIMBAS does not further process this information.
• created: Information about when this group was created.
• Main Group: This setting is visible only to the super administrator with user-id 1: Name of the parent group if present, otherwise (group is subgroup of “root”) this field is empty. The super administrator can change the parent group (see LIMBAS rights system)
• User: The select list shows all users assigned to this group. If you select a user, you will be taken to their user data.
• Detour: All users with this group entered as the main group are redirected directly to the link specified here after the start of a LIMBAS session. The menus of the standard LIMBAS interface are not shown in this case, so the entire screen is available for the given link. A sensible use of this setting would be, for example, to redirect a specific user group to the relevant table for them, if necessary with their own form.
• Multi-purpose window: The file(s) ./limbas_src/extra/multiframe/*.dao selected here determine the appearance and functionality of the multi-purpose window on the right edge of the browser.
• Takeover rights of the upper group: Tables Rights/File Rights/Menu Rights/Form/Report Rights: These options are only available for subgroups and when creating a new group. If this option is activated, the corresponding rights of this group are taken over from the parent group. When creating a new subgroup of “root” this option is displayed but ineffective.
• change: Settings, changes and actions are saved, activated and/or performed in the database.
• delete: The group is deleted, provided that no users are assigned to this group. Assigned users may need to be previously assigned to other groups or deleted.

Table Rights

The table rights and group-individual settings are defined individually for each table.

For a newly created table, the group “admin”, ID 1 receives the required table rights as soon as a table field is inserted (additional rights have to be added by the super administrator if necessary). All other groups have no rights for the time being, so they must first be assigned by a user of the administrator group.

Different table rights and group-individual settings depend on general Table Settings. The rights of Queries are also very limited. Therefore, the settings explained below are not all applicable to each table. Symbols not present on a table mean that the corresponding setting can not be made.

If the mouse pointer is left on a symbol for a short time, a keyword for its functionality is displayed:

• Rule for Write Permission: PHP function (see Create display/edit rule) with “true”/”false” result (Don’t forget “return” and “;” !).

If true, users in this group are not allowed to change the contents of the table. LIMBAS also provides identical functionality for each individual table field (see “edit”).

• Indicator Rule: A function, as described in Indikators, can be assigned to a table. Note, that opening such a function is done from this script ./limbas_src/gtab/gtab.lib. For the (Transfer) parameter, ‘Variables’ from this script should be used. A possible entry could therefore be:
  return indicatorRuleFct($gtabid,$i,$gresult);
• Versioning Type: This option is only available if the versioning of the table is allowed.
  • manually: The versioning of a data record must be performed manually by a user.
  • automatically: The versioning of a data record takes place automatically if a user of this group changes the content of a field which is selected in “versioning” (see the following functionalities). If no field is selected, users of this group can not version the records of the table.
  • If no entry is made in the select field, users of this group can not version the data records of the table.
• Standard Form: This option is only available if there are one or more forms (see Forms) for the table. In this case, the form with which users of this group are shown by default the data records of the table for viewing/entering/changing/deleting data is selected. This option also applies to the calendar view or document details. In this case, a form must be created for the ldms_files table or its corresponding calendar table.
• trigger: This option is only available if there are one or more triggers (see triggers)for the table. In this case, triggers can be selected here that are executed when a user of this group performs a corresponding action on the table.
• Do not show table in menu: If this option is set, the table will not be listed in the table menu for users of this group.
• Show all versions: This right can only be assigned if the versioning of the table is permitted. Granting this right gives users in this group the ability to view and modify versioned records as well as older versions. When the record is displayed, the version is displayed. If this right is not granted, only the most recent version of a record can be viewed or changed.
• lock unlimited: This right can only be assigned if it is possible to block individual data records of this table. With granted rights, the users of this group are authorized to block individual records of this table for any time.
• archive: This right allows the users of this group to archive records of the table or to restore archived records of the table. Archived records are not displayed in the default list view. They can still be changed, versioned or deleted.
• Manage user rights for all records: This right can only be granted if the individual assignment of access rights to individual records of this table is possible. If the right is granted, users of this group have the right to set access rights for all records. This also means that they themselves have the right to access all records in this table.
• Manage user rights for self-created records: This right can only be granted if the individual assignment of access rights to individual records of this table is possible. If the right is granted, the users of this group are entitled to set the access rights for self-created records. The prerequisite for this is that they have not been deleted by another user with the appropriate authorization, the access right to this record.
• Inherit user rights hierarchically: This right can only be granted if the individual assignment of access rights to individual records of this table is possible. If the right is granted, the users of this and all higher-level groups have access rights to records created by any user whose main group corresponds to this group. The prerequisite for this is that they have not been deleted by another user with the appropriate authorization, the access right to this record. The meaning of the whole is that when a user creates a record only once no other user can read or write this record. In order to prevent that with each creation of a data set first the rights must be set there is this auto rights assignment. By clicking on the group symbol, the automatically assigned rights can be extended to higher-level groups.
• Create: This right allows users of this group to create new records for the table.
• Delete: This right allows users of this group to delete existing records from the table.
• See: This right is set individually for each table field. It indicates whether the users of this group will see the table field at all.
• Edit: This right is set individually for each table field. It allows the users of this group to change the contents of the table field.
• Required field: This recursive right (obligation) is set individually for each table field. It obliges users of this group to fill in this table field before saving the record. This assumes that the “edit” right is set for this user group. CAUTION: When using Internet Explorer, this setting can not be checked for “long” table fields with the WYSIWYG option (see Field Types)set. In this case, the record is saved if necessary, without the corresponding table field is filled.
• Copy: This right is set individually for each table field. It allows the table field content to be copied when the record is copied. If it is not granted, the table field remains empty for the time being when the record is copied. The copy of table fields is also possible without reading right (see). The field copy is then not visible to the user. This can for example be the case during versioning.
• Edit List: This setting determines whether the field can be edited in list view, even if the user did not enable “Edit List”.
• Options: This setting determines whether or not users of this group will see a small black triangle in the detail view for entering the selection details.
• Voice Recognition: This setting enables the voice recognition for the text field.
• Versioning: This recursive right (obligation) can only be granted if the versioning of the table is permitted and the versioning type for this user group is set to “automatic”. A record is automatically versioned if a user of this group changes the content of a selected table field.
• Columns Background Color: This setting determines whether a record field for users of this group is highlighted in the list view.
• Default: If a user of this group creates a new record, the entry from this field is entered as the default value.
• Filter Rule: The filter rule makes it possible to filter records of a table depending on the membership of user groups. Each user will only see the records that match the filter rules of their main and subgroups. The filter rule thus makes it possible to authorize/deny access to data records without the use of an internal additional table, as in the case of individual access rights to individual data records. There are the following options for entering the filter rule:
  • Takeover of the individual filter settings made in the current session: After setting the filter rules in the current session, the display of the table rights must be updated (if multiple tabs are used in the browser, otherwise it will be done automatically). By clicking on the column heading “Filter rule”, the individual filter settings made for the currently selected user group are set.
  • Enter the filter rules for each of the table fields using the syntax of the SQL WHERE clause (without WHERE, for example, “tabUser.fieldPLZ> 50000”, where “tabUser” is the table name and “feldPLZ” is the name of the table field). Variables can also be used. The string concatenation has to be maintained by PHP.

 kalender.erstuser = ".$session['user_id']."
 kalender.erstgroup = ".$session['group_id']."
 ".$gtab['table'][$gtabid].".erstuser = ".$session['user_id']."
 (KUNDE.LAND = 'Deutschland' OR KUNDE.LAND = 'Spanien')
 AUFTRAG.ERSTDATUM <= ".convert_stamp(time())."

• Edit Rule: PHP function (see Create display/edit rule)with “true”/”false” result (Don’t forget “return” and “;” !).
  If true, users in this group are not allowed to change the contents of the table. LIMBAS also provides identical functionality for each individual table field (see above).
• Trigger onCh: This option is only available if there are one or more triggers (see triggers)for the table. In this case, triggers can be selected here that are executed when a user of this group performs a corresponding action on the table.
• Format: For numeric values, the format can be set in the detail and list view for the users of this group. For the formatting of the numeric field types, LIMBAS uses the PHP function number_format, whose parameters 2-4 are read from the “additional” field. The parameters must be entered as they are passed to the function. The following examples show how 1234,56 is represented:
  • 2, ‘,’, ‘ ‘ ==> 1 234,56
  • 1, ‘:’, ‘x’ ==> 1×234:6
• Extension: LIMBAS allows individual extensions(modifications) for the display of a table field (see Field Type Extension).
• Apply: The settings made are saved in the database and activated.
• Inherit: If this option is selected, clicking on “Accept” will change all the settings changed for this group in compliance with the LIMBAS rights system also for all subgroups that may exist.

File Rights

The file permissions grant access to the individual folders of the file manager. Newly added folders get the rights of the parent folder in each group.

If the mouse pointer is left on a symbol for a short time, a keyword for its functionality is displayed:

• open all: In the folder structure shown for the allocation of file permissions, all folders including all sub-folders are displayed.
• close all: In the folder structure shown for assigning file permissions, only the parent folders are displayed.
• open all entitled: In the folder structure shown for assigning file permissions, in addition to the parent folders, all folders with the “View files” right and their direct sub-folders are displayed.
• Incl. sub : If this option is selected, a changed file right will be adjusted for all existing sub-folders. Removing the View Files right always affects all sub-folders regardless of this setting.
• view files: This right allows users of this group to see files in this folder.
• add files: This right allows users of this group to add files to this folder.
• create folder: This right allows users of this group to create sub-folders in this folder.
• edit metadata: This right allows users of this group to edit the metadata of the files in this folder.
• delete files/folders: This right allows users of this group to delete files and sub-folders from this folder.
• lock files: This right allows users of this group to lock files from this folder.
• authorized groups: When you click on the info icon, a window appears with the list of all groups that have rights for this folder.
• apply: Made settings are stored in the database and activated.
• Inherit: If this option is selected, clicking on “Accept” will change all the settings changed for this group in compliance with the LIMBAS rights system also for all subgroups that may exist.

Menu Rights

All menu items entered under [Admin]->[Setup]->[Menu Items] are individually authorized or blocked here. In the highlighted lines whole groups/subgroups of menu items can be authorized or blocked at the same time by a mouse click.

For a newly created menu item initially receives only the group “admin”, ID 1, the menu right. All other groups may need to be assigned by a user of the Administrators group.

A user is assigned and displayed only the menu items for which he is authorized in at least one group. Otherwise, the menu item is not visible to the user.

• apply: Made settings are stored in the database and activated.
• Inherit: If this option is selected, clicking on “Accept” will change all the settings changed for this group in compliance with the LIMBAS rights system also for all subgroups that may exist.

Report/Form Rights

All reports, forms and diagrams created in LIMBAS are individually authorized or blocked here. A distinction is made between calling from the LIMBAS menu and hidden call, e.g. out of a script. In order to enable the call from the menu for a user group, only the “Rights” checkbox should be selected. Once this is saved, the checkbox “hidden” will appear, which should be activated if the users of this group should be able to make a hidden call, the report/form/diagram will no longer appear in the menu.

For newly created reports, forms and diagrams, for the time being only the group “admin”, ID 1 receives the corresponding right. All other groups may need to be assigned by a user of the Administrators group.

A user can view only the reports, forms, and charts for which he or she is authorized in at least one group. Otherwise, the report, form, or chart is not visible to the user.

• apply: Made settings are stored in the database and activated.
• Inherit: If this option is selected, clicking on “Accept” will change all the settings changed for this group in compliance with the LIMBAS rights system also for all subgroups that may exist.