You have been redirected from an outdated version of the article. Below is the content available on this topic. To view the old article click here.

Group

Group is the base type for all types that need user group functionality. A group is a Principal, i.e. can be used to provide Ownership.

Group extends AbstractNode and provides the following additional properties.

Name Type Description
members List of Principals The member of this Group
isGroup Boolean A read-only value that will always be true for all Group types and their subtypes

Search results for "Group"

is_in_group()

Predicate function that returns if a given user is member of a given group.

New in v3.6: The optional parameter checkHierarchy allows to check for indirect group membership. If the given principal is member of another group which is member of the given group the result will be true.

is_in_group(group, principal [ , checkHierarchy = false ])

add_to_group()

Adds the given user as a member of the given group.

add_to_group(group, principal)

remove_from_group()

Removes the given user as a member of the given group.

remove_from_group(group, principal)

Deployment Format

{
let myUserGroup = $.getOrCreate('Group', 'name', 'myUserGroup');
let myNestedUserGroup = $.getOrCreate('Group', 'name', 'myNestedUserGroup');

if (!$.isInGroup(myUserGroup, myNestedUserGroup)) {
$.addToGroup(myUserGroup, myNestedUserGroup);
}
}

Data Deployment Format

{
let myUserGroup = $.getOrCreate('Group', 'name', 'myUserGroup');
let myNestedUserGroup = $.getOrCreate('Group', 'name', 'myNestedUserGroup');

if (!$.isInGroup(myUserGroup, myNestedUserGroup)) {
$.addToGroup(myUserGroup, myNestedUserGroup);
}
}

Graph-based permission resolution

In the above example, the schema is configured in such a way that users with the maintains relationship to a ProductGroup will have access to any Product object in the group they maintain, but not to the subgroups of the given group.

Schema relationships that are configured to allow domain permission resolution are called active relationships. Active relationships are displayed in a different color than normal relationships in the schema editor.

When a non-admin user accesses a private object (e.g. a Product node from the above example schema), Structr tries to find a path which ADDs the requested right or KEEPs the requested right from a node the user has the specific right on.

In detail: We assume that a user who has a read permission grant to a ProductGroup tries to access a Product contained in that group (for which the user does not have direct rights).
Structr will then traverse the active relationship(s) until a path is found which ADDs or KEEPs the requested right.

Successful path evaluation:

  • The (ProductGroup)-[:contains]->(Product) relationship is configured to keep read and write
  • The effective permissions at the end of the evaluation process are read and write

Unsuccessful path evaluation:

  • If a user who has a read permission grant to a product that is not contained in the product group he has access to, but in a subgroup of the given group, Structr will not be able to find a connected path of active relationships and will fail the permission resolution.
  • The user does not have any permission grants set on any node or only visibility flags are set on the data nodes.

Users and Groups

The basic concept of the security system is based on users and user groups.
- Users can be member of one or many groups.
- Users inherit the permissions of all groups they are member of.
- Groups can be nested into other groups.
- Groups inherit the permissions of all groups they are member of.

Deployment Format

{
let necessaryUser = $.getOrCreate('User', 'name', 'necessaryUser');
let myUserGroup = $.getOrCreate('Group', 'name', 'myUserGroup');

if (!$.isInGroup(myUserGroup, necessaryUser)) {
$.addToGroup(myUserGroup, necessaryUser);
}
}

Data Deployment Format

{
let necessaryUser = $.getOrCreate('User', 'name', 'necessaryUser');
let myUserGroup = $.getOrCreate('Group', 'name', 'myUserGroup');

if (!$.isInGroup(myUserGroup, necessaryUser)) {
$.addToGroup(myUserGroup, necessaryUser);
}
}

Users and Groups

The Users and Groups tab has two subsections: The left section lists all system users that exist in the database. Users can be created by clicking on the "Add User" button on top of the list and deleted by clicking on the delete button which appears when you hover over the user element.

A user’s attributes like name, eMail or password can be edited via the Edit Properties dialog. Here a user can be given admin permissions by activating the isAdmin flag.

In the section on the right, user groups can be created and managed. Groups can contain users and other groups which can be added and removed via drag-and-drop. This allows the creation of a group hierarchy and thus a very flexible and versatile security system.

General

ldap.host Address of the LDAP host.
ldap.port Port of the LDAP host.
ldap.connectiontimeout Connection timeout in milliseconds.
ldap.binddn DN that is used to authenticate synchronization.
ldap.secret Used in conjunction with bind DN to handle authentication.
ldap.usessl Enables SSL for the LDAP connection.
ldap.scope Specifies the LDAP scope. Defaults to “SUBTREE”.
ldap.primarykey Name of primary identification property of LDAP objects, must uniquely identify users and groups.
ldap.propertymapping Mapping from LDAP properties to Structr properties.
ldap.groupnames LDAP objectclass tuples for group and member identification.
ldap.updateinterval Update interval for group synchronization in seconds.

Permission Grants

Permission grants are signified by a SECURITY relationship (user/group)-[:SECURITY {"allowed": ["read","write","delete","accessControl"]}]->(data) between users and/or groups and the data nodes. They indicate wether a user or a user group has access to a node. The SECURITY relationship for users is automatically created by Structr.

About Me

The About Me section displays information about the user that is currently logged in to the system.

ID The UUID of the user.
E-Mail The E-Mail address of the user.
Working Directory The directory in Structr’s virtual file system that the user is currently visiting. This is also the directory where files uploaded via the Structr upload servlet will be uploaded (if no upload path is provided).
Session ID(s) A collection of the current session IDs of the user.
Groups The list of user groups the user is a member of.

In addition to these information, Structr also stores the UI preferences of the logged-in user. They can be reset by clicking on “Reset stored UI settings”.

General

The configuration settings are grouped by topic. You can access the individual groups by clicking on one of the tabs in the tab row of the main area. The individual settings are listed by their key in the config file, e.g. the “application.title” setting can be found in structr.conf under application.title. If there is a little Information icon next to the title of a setting, you can get additional information about the setting by hovering over the icon.

Creating Flows

To keep Flows more organized, they can be grouped by packages. New packages can be created via the context menu in the tree view on the left hand side of the editor. Once created, flows can be organized by drag-and-drop. It is important to note that a Flows effective name will be generated from the package hierarchy. A Flow called “flow1” in the package “package1” will result in the effective name “package1.flow1”. This combined name can then be used to call flows from scripts:

Security

Structr provides integrated multi-level access control for all parts of the application based on user and group objects. Both the access to the data and the representation of individual areas of the web application can be controlled separately with different security models.

Node-level security

Every entity created by Structr in the underlying graph database is stored as a node with different relationships to other nodes. Following this concept even files, folders, users, groups, pages etc. always have a node representing them in the database and Structr makes use of this for its security system to provide security on the level of those nodes.

The columns of the table show the properties of the selected schema type, where the additional filter “View” defines the group of properties to show.