How to configure privileges with the Default group to create restricted users


Microsiga Protheus


11 and 12

Step by step:

Setting up access to user routines has always been treated as denial by exception. The user has access to all the routines and the Administrator chooses to which routine the access will be denied.

The Default Group is a group that has access to the routines DENIED by default.

It was created so that the permission is by exception and, instead of the Administrator denying all routines to the user and allowing only a few access, puts the user in that group and defines in the Privilege routine which accesses the user should have.

Both the code and the description of the Default group are represented by *. Maintenance in this group is not allowed.

If you prefer, you can automatically add Default Group to newly created users. This setting is available in the Policy routine.

Before you perform the procedure:
- Back up the Protheus password file (in the System folder, file sigapss.spf). Do while the Protheus services is stopped, to avoid corrupting the file.
- Users that already exist before enabling this group do not enter it automatically, they must be added manually.

To enable the Default Group, follow the procedure below:
- Access Configurator > User > Passwords > Groups.

- Click Other Actions (Related Actions) and click Enable default group.

- You will see the following warning. Click Yes.

- Next, a window asks if you want new users to be automatically added to the Default Group. It is the same option that can be set in the Policy, according to the first image of this page.

- Default group created.

After enabling the Default Group, associate the user with it.
- Access User > Passwords > Users.

- Click on the user and then click Change.

- On the User tab, click the Groups tab.

- Click twice under the Group column, and select the Default Group (Code * / Name *). Leave the Prioritize field as No.

- In the Parameters section, change the Access rule by group to Prioritize.

- Click Confirm.

By associating the Default Group with the user, it will no longer have access to any routine. It is then necessary to set a Privilege by releasing the routines that the user will have access to. For further information on how to create a Privilege, go to: Set Privileges

After creating the Privilege, associate it with the user group, according to the procedure Associating Privileges to a user or group of users found in the link above.

This user must have some other group that grants access to companies and modules, because as the user parameter Access Rule per group is set as Prioritize, it will not accept the access restrictions granted to the user, but to the groups.