Understanding the basic user management
This tutorial is outdated. See the tutorial Getting started with the user management
Posted by Giampiero Granatella
on September 7th, 2009
Any real information system has users and permissions. Users are the real people who will access the system's data. Permissions are the set of rules that determine that access to data. Overall, this is called user management.
Specifically, "user management" means three things:
- First, a user model that can store user credentials and other information.
- Second, a set of user-related functionality, such as log in, log out and password change.
- Third, the permissions to access classes and their objects.
Let's analyze them in order.
Managing users and authentication requires a data model. At the very least, we should have a class to store user credentials (user name and password). Also, groups and group membership should be stored somewhere.
We could start modeling such classes from scratch, but to make life easier, Portofino can create a predefined model at the press of a button. Specifically, you have to do the following steps:
- go upstairs,
- click on the "Meta user groups" tab,
- click on "create user model" link.
Portofino takes you to a page where it points out the operations it performs.
Portofino creates the "User", "UserGrp" and "User_UserGrp" classes, as well as a number of attributes for them. It sets the permissions on these classes. It creates the "Users", "User Administrators" groups. Finally, it creates a default user "admin".
You can click on the "Classes" tab and inspect the newly created model. While you are upstairs, you can also click on "Meta users groups" and check that there are two new objects: "Users" and "User Administrators".
Finally, if you go downstairs, you can see that there are two new tabs ("Users" and "User groups") and that a few objects have been prepopulated.
Creating the user model still does not enable authentication in Portofino. In fact your configuration may have user management switched off. Check your
portofino-custom.properties file to make sure it has the following line:
And If you want to disable anonymous user access to the system, i.e., to force log in, you should add also:
If you have modified the file, restart the application server to make the changes effective. Then go downstairs and log in using the "admin" credential.
When you've logged in, you find a link with your user name in the top right corner. Clicking on it, you are taken to your "MyHomepage", where you can change your password, modify your login and email address, check your user groups and create new users (if you belong to "User Administrators").
Portofino's controls the access to application objects through permissions defined upstairs on classes.
To introduce permissions, we'll study what permissions Portofino has already defined for the basic user model, and specifically for the "User" class. The "User" class is just like any class in your application, so you can easily extend and apply these concepts your other application classes.
For upstairs, click on the "Classes" tab, then on "User" and finally on the "Permissions" button. The following permission matrix is showed.
Notice that there are two actors: "Users" and "User Administrators".
A member of the "Users" group (A1)
- cannot create nor delete users,
- can (r)ead "login" and "email",
- has no rights (-) on "password".
While a member of "User Administrators" (A2)
- can create and delete users,
- can read/(w)rite the "login", "email" and "password" attributes.
Probably you've noticed that Portofino has created (upstairs) the class "Meta User groups" and (downstairs) the class "User groups" with the same "Users" and "User Administrators" objects. They are different perspectives on the same thing:
- Upstairs, modelers manage Meta User Groups to define permissions.
- Downstairs, user administrators manage User Groups to associate users to groups. These associations allow the use of the permissions as defined upstairs.
Portofino keeps the meta user groups upstairs in sync with the user groups downstairs. Whatever you do to one (create, update, delete) is reflected on the other.
As a useful exercise, while upstairs, you can inspect the standard permissions set on the "UserGrp" and "User_UserGrp" classes.
Also, while on the permission page, you can click on "Manage actors" to get a glimpse on where actors come from. We'll get back on this subject in another tutorial.
While downstairs and logged in as admin, you can create two users who belong respectively to "Users" or "User Administrators". Then log in as either users and check their permissions.
Finally, you can customize the user model adding new attributes (e.g. name, surname, phone number) and setting permission on those.
As a further reading I suggest: