Introduction

There are two elements of security we will look at in this chapter:

• Controlling who can access an application.

• Controlling Privileges within an application.

From PhixFlow Version 9.0 onwards, two user groups are automatically created with each application:

1. appname for people who need to use the application.
2. appname_Admin for people who need to manage the application and user access to it.

where appname is the same as the application's name. 

We will cover the fundamentals of security and access control in this chapter using existing configuration. For more information on this topic see:

1. Controlling User Access to Applications.
   1. This page covers this topic in more detail and explains how to set up new groups and roles.
2. Managing User Groups and Privileges.
   1. This page goes into detail about setting up user groups, roles and privileges.

Access Control

Accessing an Application

1. Open the Properties of your application

2. Click on the  Security tab

   1. All Users Can View Application, ticking this makes the application available to all. If you want to use this option consider applying it once the application is complete.
   2. User Groups, lists the groups that have access to our application.
      1. Selecting a group enables the delete icon allowing you to remove the group.
      2. Click on the group icon to see a list of available groups, these can be dragged into the list.
   3. For our example, we will leave the options as they are.

Testing

1. First, we need to create a new test user as follows.
   1. In the Full Repository, right-click Users.

   2. Click  and set:

      1. the username and password.

      2. Enabled, tick.

      3. Add the User Group, Users to the user.

      4. Log out of PhixFlow.

2. Log into PhixFlow as the test user. You should not be able to see your application, click on the 9 dots to open the application selection window to confirm this.

   1. If you see an error stating you cannot access this application it is because you are loading the URL to directly access the application you just restricted access to. Use the URL that takes you in to the base PhixFlow, e.g. https://myserver.phixflow.com/phixflow/start.html?
3. Now, log back in as yourself
4. Update the test user's associated User Groups, adding the group associated to your application. This should be the My Application group, as illustrated below:
   1. 
5. Log in as the test user and your application is now available.

Controlling Privileges in an Application

Within an application, there can be varying levels of permissions. Here we will look at adding permissions to a specific button but permissions can be added to other content to restrict access and interactions.

1. Open the Home screen so it is ready to edit.
2. Click on the Orders button so the properties open. We can restrict who has permission to see this and use this button.
3. Click on the  Security tab.
4. By default All Users can View Data is ticked. This allows all users permission to see and click this button.
   1.  Note it is possible to create user accounts that only have read-only permissions and therefore cannot click on any button. For more information on this see the links in the introduction section above.
5. Untick All Users can View Data.
6. As before User Groups lists the groups that have access to this button.
   1. Click on the group icon to see a list of available groups, drag the appname_Admin group into the list i.e. My Application_Admin.
      1. Select a group and the delete icon appears allowing you to remove the group.
7. Save your changes.

Testing

1. Login as the test user created earlier.
2. When the Home screen loads the Orders option will not appear:
   1. 
3. This option will only be available to users in the My Application_Admin user group.