- The user's role, for instance: "any user with the role admin can delete data".
- The user being the one who initially created the data, also known as owner, for instance: "owners can view and update their own data".
- The user being in the same group as the owner, e.g. users in the same group as the owner can read the data.
Within such a structure:
- An individual user can be a member of zero, one, or more organizations. For instance Mary could be a member of the "iOS" and "Support" organizations.
- An individual user can have zero, one, or more organization roles. For instance, if Mary is also the manager of the "iOS" organization, in the system, she will have the role "manager" tied to organization "iOS". Informally, we could write this role as manager(organization = "iOS").
- If they are defined in Liferay, then all you need to do is to use the Orbeon Forms Liferay proxy portlet, and configure Form Runner to use Liferay user information. That's it.
- If they are defined in any other system, you can query that system and pass that information to Orbeon Forms in JSON format.
- Assuming Tom in the iOS organization creates an expense report,
- his manager, Mary will be able to access it,
- and so will John, the VP of engineering, defined in the system as manager of the "Engineering" organization,
- and so will Carla, the CEO, defined in the system as manager of Acme, which sits at the root of the organizational structure.
Support for organization-based permissions is available in Orbeon Forms 2016.3, and works on all supported databases, namely eXist, MySQL, PostgreSQL, Oracle, SQL Server, and DB2. Support on Oracle, SQL Server, and DB2 is available only on Orbeon Forms PE. And for more information, see the documentation on organization-based permissions.