Currently we have three clients
used for production bound objects that application developers have only read
access to. The object developers in these clients,
the group I work in, rigorously follow standards of usage so have not needed anything
but the most basic folder type security.
We are investigating the
creation of a client for shared use by application developers. We wish to segregate the various development
groups based upon the object’s name.
We currently prefix all objects with a two character “system code”; i.e.
xx_SOME_OBJECT_NAME, and they exist in a like named folder structure. The developers would have full access to
create, modify and execute objects within their system’s folders.
We are at a loss of how to
create a viable and secure client where one group of developers cannot execute
or affect another group’s objects.
Folder security has a huge hole with regards to the following documented
method of operation:
Nevertheless, specifying folder
rights does not prevent access to objects stored in them. A user who is
not allowed to access a particular folder could still access an object
in this folder (such as if it is used in a workflow. The command
"Edit" is available from almost anywhere, therefore, also in
workflows).
Using individual Object Authorization via its Properties is
very precise but its method of implementation does not appear to be in any way
applicable to our desired requirements.
Our basic desire is to ensure
that developers can only affect objects in specific folders and restrict the
name of any new or renamed object to match the system code of the Folder in
which it is being created.
I was wondering how others do
this or something similar as I feel that I'm overlooking something very basic. Thank you for
any assistance or insight that you can provide.