Top of SEC | Index | Table of Contents | Feedback | ![]() |
Security Restrictions and Access to Data
This section describes the effects of applying Security Restrictions. Using a System of certification of Callista functions, it provides the information required by System Administrators to ensure that Security Restrictions applied to users have a predictable, required effect.
The purpose of this section is:
In this section:
General Considerations
Security Restrictions and Data Access Tools
Security Restrictions act to limit the 'select' and 'operational' (update, insert, delete) access of users, to particular sets of data. The set of data is the data related to values for which restrictions have been granted. For example, a user may be restricted to data for a particular Organisational Unit (Org Unit) or a particular Correspondence Type.
Security Restrictions are applied at the database level, to tables and views. They restrict 'select' and 'operational' access of users accessing data in those tables and views, through forms. Importantly, they also restrict access to data by other means, including by data query tools such as SQL Plus, SQL Navigator and Oracle Browser.
Expected Error Messages
Users
may encounter Security Restriction related error messages when they execute
a query within a form. This may occur when the query returns records containing
data drawn from database tables to which a Security Restriction applies, and
that data relates to a Security Restriction for which the user does not have
the appropriate Restriction Grants.
For example, consider a user with an Org Unit Restriction of 'restricted select'
for Org Unit '04' only. If the user executes a query in CRSF2120
(Maintain Unit Categories) which retrieves a Unit Category with category member
units owned (Teaching Responsibility Org Unit) by Org Units other than '04',
the Unit Codes are displayed but the Unit Short Titles of those units are
not. An error message ' Error: This Unit Code, Version Number does not exist'
is displayed. This occurs because while there is no Org Unit Restriction security
over the table containing Unit Categorisations (UNIT_CATEGORISATION), there
is Org Unit Restriction security over the table containing the unit short
titles (UNIT_VERSION).
Expected Error Messages |
|
Expected Error Message |
Interpretation |
This Course Code, Version Number does not exist This Unit Code, Version Number does not exist This Responsible OU does not exist This Responsible OU, Responsible OU Start DT does not exist |
This error displays when records are returned and a component of the record is sourced from a different database table that is affected by the user's Security Restriction. For example, when navigating to the Course Award Inquiry block of CRSF1190 (Maintain Awards), a query is performed to return all courses associated with a particular award. If any of these courses is 'owned' by an Org Unit for which the user does not have an Org Unit Restriction, their title will not display. This is because the table from which the course title is sourced (COURSE_VERSION) is affected by Org Unit Restrictions. Wherever possible users should be given 'restricted select' access to all Org Units they are likely to encounter. |
You have attempted an operation for which you do not have the appropriate privileges. Restricted by Organisational Unit. |
Users with 'restricted select' access only for an Org Unit Restriction may invoke this error whenever they try to update, insert or delete a record related to that Org Unit. If the user should be able to operate on records for the Org Unit, their Org Unit Restriction must be updated to include insert, update and delete functions. |
Users with correctly granted Security Restrictions and with access to only certified functions will rarely encounter these errors. Users should be educated about when expected error and warning messages will be encountered and either how to interpret those messages or who to contact for assistance.
Dealing with Shared Ownership
Forms such as CRSF1220 (Maintain Course Ownership) can be used to apportion ownership or responsibility across more than one Org Unit. A user with the restriction, 'restricted select' for Org Unit '04' only, can enter this form in the context of a Course Version record for which 04 is responsible. The Course Version may be jointly owned by 04 and another Org Unit. The user can see both owning Organisational Units because, depending on the context of the data, some forms have had the normal Organisational Unit security on 'select' operation overridden.
Security Restrictions and Audit Forms
No restriction views have been created on the underlying audit database tables. This means that no audit forms are certified. (Refer to Organisational Unit Restriction Certification) Restricted users should not be granted any audit forms. Granting the Course Version audit form (AUDF3126) to a restricted user would allow the user access to all Course Version data.
Correspondence Type Restrictions
Details regarding the operation of Correspondence Type restrictions are contained in documentation for the Maintain Correspondence Type Security form (SECF0033).
No functions have been 'certified' for Correspondence Type restrictions. The section Organisational Unit Restriction Certification details the specifics of Org Unit Restriction certification and these are equally applicable to Correspondence Type restrictions.
Organisational Unit Restrictions
Impact of Organisational Unit Restrictions
Users may access Organisational Unit (Org Unit) related data in a number of ways, including:
Organisational Unit restrictions are used to restrict the select and operation (insert, update, delete) access of users, to data related to specific Org Units. For example, a faculty officer might be restricted to selecting and updating data for their faculty and its related schools only. In some specific contexts, Organisational Unit security may have been overridden. For example, in the second dot point above, a user can see Course Award records for Org Units for which they have an Org Unit Restriction. The Org Unit Restrictions on the Award Ownership data in the same form are overridden to allow the user to see Award Ownership records for Org Units to which they do not have security access.
The documentation for the Maintain Organisational Unit User Restrictions form (SECF0032) describes this functionality in more detail.
Note: Not all Org Unit related data is subject to Org Unit Restrictions. Restrictions are applied, at the database level, to individual tables and views. Users are restricted only when using data in these tables/views. Refer to the Security Technical Documentation for further information and a complete list of tables and views to which restrictions apply.
Organisational Unit Restriction Certification
The impacts of Org Unit Restrictions are System wide. To ensure that these impacts are predictable, a System of certification has been introduced to guide Security and Subsystem specialists in the application of Org Unit Restrictions to users. The intention is that Org Unit Restrictions should only be applied to users of the certified functions. Application of Org Unit Restrictions to users of non-certified functions may produce the desired effects. It may also produce unpredictable effects and will result in error messages being displayed which may be difficult to interpret outside the documentation for certified functions.
Certification involves analysis of existing interaction between specific functions and Org Unit Restrictions, and design enhancements to ensure that the effects of a restriction are exactly as required. Extensive testing ensures the correct results. Certification is an ongoing process that commenced (Release 2.0) with the Course Structure and Planning and Inquiry Subsystems.
Org Unit Restriction Certified Functions
The following table lists all Org Unit Restriction certified functions as at Release 3.1.2. Presently, this consists of Course Structure and Planning, the Inquiry Subsystem and Enrolment forms only.
About This Table
Restricted Select column
Entries in the restricted select column indicate whether or not an Organisational Unit 'select' restriction, applied to a user, affects the user's ability to select data in that form or block. For example, if a user has been granted restricted select access to Org Unit '04' and to no other Org Units, 'yes' in the Restricted Select column of this table indicates that the user is restricted to selecting data related to Org Unit 04 only. Where 'yes' is recorded, the impact of the restriction is noted (in brackets). These impacts are:
Restrictions in LOV Column
Entries in this column indicate the name of the field adjacent to an LOV where the records in the LOV are restricted by the user's Org Unit restricted select grant(s). For example, CRSF1130 has an LOV adjacent to the Course Code field which displays a set of Course Versions limited by a user's restricted select grants. The Restricted By column indicates which aspect of the LOV data the Org Unit Restriction is acting on.
Restricted By Column
Indicates the aspect of the data on which the Org Unit Restriction acts. This may not be in the database table to which the restriction applies, but will be in a closely related table. For example, 'Unit Attempt - Course Attempt - Course Version - responsible Org Unit' indicates the data element (responsible Org Unit) which is tested against a user's Org Unit Restriction(s) when Unit Attempt information is retrieved in INQF1200, and the pathway followed.
Operation Restrictions Column
This column contains either 'yes' or 'no', indicating whether or not operation restrictions (insert/update/delete) apply within that form/block to users with Org Unit operation restrictions. For example, if a user has an 'update' restriction for Org Unit 04 (but not insert or delete), they will only be able to modify existing records related to Org Unit 04 and will be unable to insert new records or delete existing records relating to that Org Unit.
Course Structure and Planning |
|||||
Form |
Block |
Restricted Select (impact) |
Restrictions in LOV |
Restricted by |
Operation Restrictions |
CRSF1110 Maintain Course Types |
No |
No |
|||
CRSF1120 Maintain Course Type Groups |
No |
No |
|||
CRSF1130 Maintain Course Categories |
Course Category |
No |
No |
||
Course Categorisation |
No (title will not display for restriction affected courses) |
Course Code |
Course Version - responsible OU |
No |
|
CRSF1140 Maintain Fields of Study |
No |
No |
|||
CRSF1160 Maintain Course Attendance Modes |
No |
No |
|||
CRSF1170 Maintain Attendance Types |
No |
No |
|||
CRSF1180 Maintain Course Group Types |
No |
No |
|||
CRSF1190 Maintain Awards |
Award |
No |
No |
||
Course Award Inquiry |
No (title will not display for restriction affected courses) |
Course Version - responsible OU |
No, inquiry only block |
||
CRSF11A0 Maintain Course Statuses |
No |
No |
|||
CRSF11B0 Maintain Funding Sources |
No |
No |
|||
CRSF11C0 Maintain Reference Code Types |
No |
No |
|||
CRSF11D0 Maintain Course Groups |
Course Group |
No (Responsible OU description will not display for restriction affected courses) |
Responsible OU |
Course Version - responsible OU |
No |
Course Group Member |
No (title will not display for restriction affected courses) |
Course Code |
Course Version - responsible OU |
No |
|
CRSF11F0 Maintain Course Structure & Planning Note Types |
No |
No |
|||
CRSF1210 Maintain Basic Course Details |
Yes (retrieves only courses for which user has Org Unit select restriction) |
Responsible OU |
Organisational Unit |
Yes |
|
CRSF1220 Maintain Course Ownership |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Ownership |
No (Org Unit Restrictions have been overridden for this block. It is assumed that a user with access to the parent Course Version is entitled to see all of its owning Org Units regardless of any Org Unit Restrictions.) |
Not specifically for this block (due to override) but users are restricted by their operational restrictions at the Course Version - responsible Org Unit level. |
|||
CRSF1230 Maintain Course Group Membership |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Group Membership |
No |
Although course groups can optionally be associated with an OU, the course group code LOV is not restricted |
No |
||
CRSF1240 Maintain Course Alternative Exits |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Alternative Exit |
No |
No |
|||
CRSF1250 Maintain Course Awards |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Award |
No |
No |
|||
Course Award Ownership |
No (Org Unit Restrictions have been overridden for this block. It is assumed that a user with access to the parent course award is entitled to see all of its owning Org Units regardless of any Org Unit Restrictions.) |
Not specifically for this block (due to override) but users are restricted by their operational restrictions at the Course Version - responsible Org Unit level. |
|||
CRSF1260 Maintain Course Fields of Study |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Field of Study |
No |
No |
|||
CRSF1270 Maintain Course Categorisations |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Categorisation |
No |
No |
|||
CRSF1280 Maintain Course Offering Unit Sets |
Course Offering |
Yes (retrieves only course offerings for which user has Org Unit select restriction) |
Course Version - responsible OU |
Can never operate on the context record |
|
Course Offering Unit Set |
Yes (not obvious to users as always in context) |
Course Version - responsible OU |
Yes |
||
CRSF1281 Maintain Course Offering Unit Set Relationships |
Superior Course Offering Unit Set |
Yes (not obvious to users as always in context) |
No |
||
Course Offering Unit Set |
Yes (retrieves only Course Offering Unit Sets for which user has Org Unit select restriction) |
Course Version - responsible OU |
Can never operate on the context record |
||
Subordinate Course Offering Unit Set |
Yes (not obvious to users as always in context) |
Course Version - responsible OU |
No |
||
CRSF1282 Maintain Course Offering Option Unit Sets |
Course Offering Option |
Yes (retrieves only course offering options for which user has Org Unit select restriction) |
Course Version - responsible OU |
Can never operate on the context record |
|
Course Offering Option Unit Set |
Yes (not obvious to users as always in context) |
Yes |
|||
CRSF1290 Maintain Course Reference Codes |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Reference Code |
No |
No |
|||
CRSF12A0 Maintain Restricted Funding Sources |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Funding Source Restriction |
No |
No |
|||
CRSF12C0 Maintain Course Annual Load |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Annual Load |
No |
No |
|||
Course Annual Load Unit Link |
No (title may not display for restriction affected units) |
Unit Code |
Unit Version - Teaching Responsibility OU |
No |
|
CRSF12D0 Maintain Course Stages |
Course Version |
Yes (retrieves only courses for which user has Org Unit select restriction) |
Course Version - responsible OU |
Can never operate on the context record |
|
Course Stage |
No |
No |
|||
CRSF12E0 Maintain Course Version Notes |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Version Note |
No |
No |
|||
CRSF12F0 Maintain Course Stage Types |
no |
no |
|||
CRSF1300 Maintain Course Offerings |
Course Version |
This form is always entered in context from CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Offering |
Yes (not obvious to users as always in context) |
Course Version - responsible OU |
Yes |
||
Course Offering Instance |
Yes (not obvious to users as always in context) |
Course Version - responsible OU |
Yes |
||
CRSF1320 Maintain Course Offering Option Admission Category |
Course Offering Option |
This form is always entered in context via CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Admission Category |
No |
No |
|||
Admission Category Unit Set Restriction |
No |
Unit Set Code |
Course Version - responsible OU |
No |
|
CRSF1340 Maintain Course Offering Notes |
Course Offering |
This form is always entered in context via CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Offering Note |
No |
No |
|||
CRSF1400 Maintain Course Offering Options |
Course Offering |
This form is always entered in context via CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Offering Option |
Yes (not obvious to users as always in context) |
Course Version - responsible OU |
Yes |
||
CRSF1420 Maintain Course Entry Point Reference Codes |
Course Offering Option |
This form is always entered in context via CRSF1210 where restricted select applies |
Can never operate on the context record |
||
Course Entry Point Reference Code |
No |
Unit Set Code |
Course Version - responsible OU |
No |
|
CRSF1441 Maintain Course Pattern of Study |
Course Offering |
Yes (retrieves only courses for which user has Org Unit select restriction) |
Can never operate on the context record |
||
Pattern of Study |
No |
No |
|||
CRSF1442 Maintain Course Pattern of Study Periods |
Pattern of Study |
This form is always entered in context from CRSF1441 where restricted select applies |
Can never operate on the context record |
||
Pattern of Study Period |
No |
No |
|||
Pattern of Study Unit |
No |
Unit Code |
Unit Version - Teaching Responsibility OU |
No |
|
CRSF1450 Maintain Course Offering Option Notes |
Course Offering Option |
This form is always entered in context from CRSF1400 where restricted select applies |
Can never operate on the context record |
||
Course Offering Option Note |
No |
No |
|||
CRSF1500 Maintain Course Offering Patterns |
Course Offering Instance |
Yes (retrieves only courses for which user has Org Unit select restriction) |
Can never operate on the context record |
||
Course Offering Pattern |
Yes (not obvious to users as always in context) |
Course Version - responsible OU |
Yes |
||
CRSF1510 Maintain Course Offering Pattern Notes |
Course Offering Pattern |
This form is always entered in context from CRSF1500 where restricted select applies |
Can never operate on the context record |
||
Course Offering Pattern Note |
No |
No |
|||
CRSF1700 Maintain Course Version Rules |
Course Version |
Yes (retrieves only courses for which user has Org Unit select restriction) |
Can never operate on the context record |
||
Course Version Rule |
No |
No |
|||
CRSF2110 Maintain Disciplines |
No |
No |
|||
CRSF2120 Maintain Unit Categories |
Unit Category |
No |
No |
||
Unit Categorisation |
No (short title will not display for restriction affected units) |
Unit Code |
Unit Version - Teaching Responsibility OU |
No |
|
CRSF2130 Maintain Unit Set Statuses |
No |
No |
|||
CRSF2140 Maintain Unit Levels |
No |
No |
|||
CRSF2150 Maintain Unit Modes |
No |
No |
|||
CRSF2160 Maintain Unit Classes |
No |
No |
|||
CRSF2180 Maintain Unit Internal Course Levels |
No |
No |
|||
CRSF2210 Maintain Basic Unit Details |
Yes (retrieves only units for which user has Org Unit select restriction) |
Org Unit |
Organisational Unit |
Yes |
|
CRSF2220 Maintain Teaching Responsibility |
Unit Version |
This form is always entered in context from CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Teaching Responsibility |
No (Org Unit Restrictions have been overridden for this block. It is assumed that a user with access to the parent Unit Version is entitled to see all of its Teaching Responsibility Org Units regardless of any Org Unit Restrictions.) |
Not specifically for this block (due to override) but users are restricted by their operational restrictions at the Unit Version - owning Org Unit level. |
|||
CRSF2230 Maintain Unit Disciplines |
Unit Version |
This form is always entered in context from CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Unit Discipline |
No |
No |
|||
CRSF2240 Maintain Course Unit Level |
Unit Version |
This form is always entered in context from CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Course Unit Level |
No |
No |
|||
CRSF2250 Maintain Sub-Unit Relationships |
Superior Unit Versions |
No (title, Unit Status may not display for restriction affected units) |
Unit Code |
Unit Version - Teaching Responsibility OU |
No |
Unit Version |
This form is always entered in context from CRSF2210 where restricted select applies |
Can never operate on the context record |
|||
Subordinate Unit Versions |
No (title, Unit Status may not display for restriction affected units) |
Unit Code |
Unit Version - Teaching Responsibility OU |
No |
|
CRSF2260 Maintain Unit Categorisations |
Unit Version |
This form is always entered in context from CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Unit Categorisation |
No |
No |
|||
CRSF2270 Maintain Unit Reference Codes |
Unit Version |
This form is always entered in context from CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Unit Reference Code |
No |
No |
|||
CRSF2280 Maintain Unit Version Notes |
Unit Version |
This form is always entered in context from CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Unit Version Note |
No |
No |
|||
CRSF2310 Maintain Unit Offerings |
Unit Version |
This form is always entered in context from CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Unit Offering |
Yes (not obvious to users as always in context) |
Course Version - responsible OU |
Yes |
||
Unit Offering Pattern |
Yes (not obvious to users as always in context) |
Course Version - responsible OU |
Yes |
||
CRSF2330 Maintain Unit Offering Notes |
Unit Offering |
This form is always entered in context via CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Unit Offering Note |
No |
No |
|||
CRSF2410 Maintain Unit Offering Pattern Notes |
Unit Offering Pattern |
This form is always entered in context via CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Unit Offering Pattern Note |
No |
No |
|||
CRSF2500 Maintain Unit Offering Options |
Unit Offering Pattern |
This form is always entered in context via CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Unit Offering Option |
Yes (not obvious to users as always in context) |
Course Version - responsible OU |
Yes |
||
CRSF2520 Maintain Teaching Responsibility Overrides |
Unit Offering Option |
Yes (retrieves only units for which user has Org Unit select restriction) |
Unit Version - Teaching Responsibility OU |
Can never operate on the context record |
|
Teaching Responsibility Override |
No (Org Unit Restrictions have been overridden for this block. It is assumed that a user with access to the parent unit offering option is entitled to see all of its Teaching Responsibility Org Units regardless of any Org Unit Restrictions.) |
Not specifically for this block (due to override) but users are restricted by their operational restrictions at the Unit Version - Teaching Responsibility Org Unit level. |
|||
CRSF2530 Maintain Unit Offering Option Notes |
Unit Offering Option |
This form is always entered in context via CRSF2210 where restricted select applies |
Can never operate on the context record |
||
Unit Offering Option Note |
No |
No |
|||
CRSF2700 Maintain Unit Version Rules |
Unit Version |
Yes (retrieves only units for which user has Org Unit select restriction) |
Unit Version - Teaching Responsibility OU |
Can never operate on the context record |
|
Unit Version Rule |
No |
No |
|||
CRSF4110 Maintain Special Requirements |
No |
No |
|||
CRSF4120 Maintain Unit Set Categories |
No |
No |
|||
CRSF4130 Maintain Unit Set Statuses |
No |
N |
|||
CRSF4200 Maintain Unit Sets |
Unit Set |
No restriction on unit sets (Responsible OU display is affected by Org Unit Restrictions) |
No |
||
Unit Set Course Type Restriction |
No |
No |
|||
CRSF4201 Apply Unit Set to Course Offerings |
Unit Set |
No |
No |
||
Course Offering |
Yes (retrieves only courses for which user has Org Unit select restriction) |
Course Code |
Course Version - responsible OU |
Can never operate on records in this block |
|
Org Unit Code |
Organisational Unit |
||||
CRSF4210 Maintain Unit Set Notes |
No |
No |
|||
CRSF4230 Define Unit Set Rules |
No |
No |
Last
Modified on 19 April, 2006