Most users in SystemWeaver are provided with access to all functionality in the swExplorer client. To limit or extend the standard access rights, SystemWeaver uses four Roles. For example, the "Viewer" role will limit access rights to read-only access. The "SW Architect" role will provide configuration rights for views, menu ribbons, etc. With the introduction of Capabilities, users with the Administrator role can now remove access to a number of standard user capabilities in the client using the swAdmin2 client and the Path Query Language. This article describes the capabilities that can be restricted and how to configure the restrictions.


Prerequisites


Capabilities

The following is a list of Capabilities in the client that Administrators can limit to a sub-set of users. 


OperationName
Printing documents

And via Print Preview
PrintDocument
Saving documents

SaveDocument
Copying documents


* With content height greater than 2000 pixels 
CopyDocument
Printing reports

And via Print Preview
PrintReport
Saving reports

SaveReport
Copying report


* With content height greater than 2000 pixels
CopyReport
Exporting XML

ExportXML
Saving XML
SaveXML
Copying XML


* With Content greater than 3000 characters
CopyXML
Exporting grid to Excel

SaveGrid

Configuring Capabilities

To limit access to one of the above Capabilities, you must configure access to it for the user or users who should continue to be able to perform the capability. This is done on the Security tab in swAdmin2. 



Click the Edit... button. The Edit Capabilities dialog will appear. Enter a configuration using the Path Query Language (a reference guide is available in the swExplorer Help). 


<Capabilities>: All <Capability> configurations should be contained in this tag. 

<Capability>: Includes the Path Query Language definition for one capability. 

The name attribute specifies the capability. It must be one of those listed above. 

The test attribute defines the access right to the capability using a path query. 


Example


<Capabilities>
  <Capability name="PrintDocument" test="CurrentUser = Owner or CurrentUser.HasRole('SWAR') or  CurrentUser.Name = 'admin'"/>
</Capabilities> 

In the above example, the action of printing documents will only be available to the current user if:

The current user is the Owner of the item OR 

The current user has the "SW Architect" role assigned OR 

The current user is the admin.


When you have completed the configuration, click OK to save. For the configuration to take effect, log out of the swAdmin2. 


Creating Roles for Capability Management

If the four standard SystemWeaver user roles are not sufficient for your needs, you can create additional roles to further group users.


On the Roles tab, click Add....

In the Add Role dialog, enter a unique SID for the role and a Name. Click OK to save. You can now assign the role to users as needed.


Note: The limitation of capabilities is only applicable to swExplorer client sessions. They do not apply to logins via the Client API.

Viewing Action Statistics

Want to find out who is exporting to XML or printing a document? The TcpSubServer log file offers a configurable option for logging specific user operations and usage statistics. See Working with the Statistics Log.