Access ControlConfiguring Access for Cross Reference Tables

You must ensure that users who are expected to use the cross reference table applications are granted the permissions they require. This includes not only role-based permissions and access to the XrefAdminApplication or XrefUserApplication, but also permissions to access the data services and objects with which the applications interact.

Who are the users who need access to the cross reference table applications?

The users who need access to the cross reference table applications depend on your organization's needs. You can configure permissions on the cross reference table folder, applications, and data services, as well as customize roles to meet the needs of your organization.

Example

Suppose you determine you need two types of cross reference table applications users:

  • Users who can view and modify data in the tables using the XrefUserApplication
  • Users who can view and modify data in the tables, as well as create, edit, and delete tables in the database using the XrefAdminApplication

What are the basic permissions required?

The permissions required depend on the cross reference table application. By default, users such as a DesignerClosed Person who creates and designs label templates, forms, and applications for use by Data Providers. or Document PrinterClosed The view that is displayed to a user on the Print page that allows the user to enter information for a label. A Designer can configure this view in the Form view on the Label Design page. can see the Cross Reference Table App folder and its contents (that is, List permission for Folders and Read permission for Documents, Processes, and Data Services is granted on the Cross Reference Table App folder). However, only a LOCAL_ADMINClosed A Loftware role with most administrator permissions as well as all of the permissions for a DOCUMENT_DESIGNER and a DOCUMENT_PRINTER. By default, all pages are displayed to users with this role. can open and use the applications in Applications  by default.

XrefUserApplication

Access to the XrefUserApplication requires certain role-based permissionsClosed Permissions that are assigned to a role and inherited by users who are members of a group to which that role is assigned or by users to whom the role is directly assigned. A user must have both a role-based permission and the corresponding object access permission to perform an action on an object. and object access permissionsClosed Permissions in Loftware associated with a specific object or with a folder that control what actions can be performed on that object or on objects within that folder. Each object has default permissions that can be overridden by exceptions for a specific group or user. A user must have both a role-based permission and the corresponding object access permission to perform an action on an object..

At a minimum, a user must have page access to Print Print and have the following permissions granted to use the XrefUserApplication:

  • Data Services: READ, WRITE, CREATE, DELETE, PRINT
  • Device Groups: READ, PRINT
  • Devices: READ, PRINT
  • Documents: READ, PRINT
  • Folders: READ
  • Integrations: READ
  • JVM Processes: READ
  • Jobs: READ, CREATE, PRINT
  • Model Status: READ
  • Processes: READ, PRINT
  • Servers: READ

The following permissions must be granted on the Cross Reference Table App folder for the user or group:

  • Folders: Read, List
  • Documents: Read, Write, Create, Delete, Admin, Print, Reprint
  • Device Groups: Print, Reprint
  • Servers: Print
  • Jobs: Read, Create, Print, Reprint
  • Processes: Read, Print
  • Integrations: Print
  • Data Services: Read, Print

Important! Although you can grant permissions on specific objects in the folder, it is simpler to grant permissions on the entire folder for a user or group and then control READ permission on the applications in the folder. For example, to allow a group to use the XrefUserApplication but not the XrefAdminApplication, it is recommended that you can grant the above permissions on the Cross Reference Table App folder for a group and then deny Read permission on the XrefAdminApplication.

To allow a user to view and modify data in the tables using the XrefUserApplication, you could do the following:

  1. In Access Control Access Control, create a new role named XrefUser with the permissions listed above at a minimum.
  2. Create a new group named XrefUserGroup and assign the XrefUser role to the group.
  3. Assign the XrefUserGroup group to the users who need access to the XrefUserApplication, or create a new user named XrefUser and assign the XrefUserGroup group to the user.
  4. On the Cross Reference Table App folder, configure folder access for the XrefUserGroup as listed above.
  5. On the XrefAdminApplication, deny Read permission for the XrefUserGroup. As their permissions do not allow them to use the XrefAdminApplication without receiving an error, this may help avoid confusion by preventing users in this group from being able to see the XrefAdminApplication in Applications  .

XrefAdminApplication

Access to the XrefAdminApplication requires certain role-based permissions and object access permissions.

At a minimum, a user must have page access to Access Control Access Control, Print Print, and Data Services Data Services and have the following permissions granted to use the XrefAdminApplication:

  • Data Services: READ, WRITE, CREATE, DELETE, PRINT
  • Device Groups: READ, PRINT, QUEUE
  • Devices: READ, PRINT
  • Documents: READ, WRITE, PRINT
  • Folders: READ, WRITE
  • Groups: READ
  • Integrations: READ, PRINT
  • JVM Processes: READ, PRINT
  • Jobs: READ, WRITE, CREATE, DELETE, PRINT
  • Model Status: READ
  • Processes: READ, PRINT
  • Roles: READ
  • Servers: READ, PRINT
  • Tag Categories: READ
  • User Profiles: READ, WRITE
  • Users: READ

The following permissions must be granted on the Cross Reference Table App folder for the user or group:

  • Folders: Read, List
  • Documents: Read, Write, Create, Delete, Admin, Print, Reprint
  • Device Groups: Print, Reprint
  • Servers: Print
  • Jobs: Read, Create, Print, Reprint
  • Processes: Read, Print
  • Integrations: Read, Print
  • Data Services: Read, Write, Create, Delete, Admin, Print

To allow a user to view and modify data in the tables, as well as create and delete tables in the database using the XrefAdminApplication, you could do the following:

  1. In Access Control Access Control, create a new role named XrefAdmin with the permissions listed above at a minimum.
  2. Create a new group named XrefAdminGroup and assign the XrefAdmin role to the group.
  3. Assign the XrefAdminGroup group to the users who need access to the XrefAdminApplication, or create a new user named XrefAdmin and assign the XrefAdminGroup group to the user.
  4. On the Cross Reference Table App folder, configure folder access for the XrefAdminGroup as listed above.

What other permissions are required?

If you configure permissions as described above, a user with access to the XrefUserApplication can view and modify data for every table created by or imported to the XrefAdminApplication; however, you can prevent a user or group from being able to view or modify data for a specific table.

Prevent a user or group from viewing a table

You can prevent a user or group from being able to see (and therefore, also prevent the user from being able to modify) a specific table in the application by denying Read permission on both the READ and UPDATE data services for the table. A user who is denied Read permission on data services for a table does not see the table as an option in the View Data drop-down list in the application.

To prevent XrefUser from viewing or modifying a table named TABLENAME, do the following:

  1. In Access Control Access Control, click the TABLENAME_READ data service.
  2. On the Data Service Access tab, drag the XrefUser from the Users and Groups tree at the right of the window to the User/Group table.
  3. Deny Denied Read permission for the user.
  4. Click Save Data Service.
  5. Click the TABLENAME_UPDATE data service.
  6. On the Data Service Access tab, drag the XrefUser from the Users and Groups tree at the right of the window to the User/Group table.
  7. Deny Denied Read permission for the user.
  8. Click Save Data Service.

Prevent a user or group from modifying a table

You can allow a user or group to see a table in the application, but prevent them from being able to modify the data by denying Write permission on both the READ and UPDATE data services for the table. A user who is denied Write permission on data services for a table can select the table as an option in the View Data drop-down list in the application, but receives an error if they try to edit the data.