There are two main purposes of fSeries security:

1. To prevent access to outputs by people without permission
2. To protect data from unauthorised access

Access roles play an important role in security and are different from fSeries roles. fSeries roles dictate which parts of fSeries (e.g. fDocs, fPanels, Admin) the user may use. Access roles are about your organisation and the data and outputs which your end users may see.

For example, you may wish to specify access roles by management level (staff, team managers, directors) or the area in which people work (health, social care, administration) or both.

You may add as many access roles as you require and can then use them to choose who sees what data.

Access roles are managed from the admin area and are simply a code and name.

There are two ways in which entities are secured.

All entities (fData DSDs, fPanels dashboards, fDocs / fSheets templates and menus) may have access roles applied to them in their properties page.

If an entity has no access roles applied then it is available to all users (subject to other permissions). If an entity has any access roles applied, a user must have at least one of the specified access roles for them to access the entity.

Note that DSD access roles only apply to generation of an fSheets document based on a DSD. The DSD access roles are not checked when gathering data for inclusion in other entities. Use Data Access Control (DAC) for access role based security of data.

Permission to use an entity is given to sets of groups, teams and/or individual users.

A permission set is a list of whole groups and teams to whom permissions has been granted. So if for example you have groups for different areas of business (social care, health, education) and within each you have a management team, you may create a permission set consisting of the management teams in some or all groups. You may also have some teams which do not fall into groups (e.g. corporate) and they too can be added to a permission set.

Entities may then be attached to a permission set either in fAdmin Permission Set Grant or from its properties page “Permissions” option.

Permission for an individual entity may also be granted to individual users via the entities properties page “Permissions” option. This is useful either if you have a small number of users not requiring full permission set security, or there are individuals who do not fit the structure but to whom you need to grant permission for a limited set of enttities.

DAC lets you control access to your data at the point where it is gathered, at a row or field level based on two factors:

• access roles which you can specify and allocate
• attribute values which you can specify, usually based on fData functions

These are Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC) respectively.

DAC is applied at data group level in fData DSDs.

This facility is only available if switched on by the administrator in fAdmin Settings, Data Access Control.