What is a Security Group
At a high level, groups are collections of users that share the same permissions. The permissions assigned to a group will apply to every user that is a member. Groups can be added to other groups to associated groups of users en masse to enable additional permissions. There is no requirement that groups require any permission changes. Some groups are used by software to enable user functionality by just adding the user to the group.
A security group is an ISecurityIdentity object with basic properties like Name, Description, etc. One difference between Groups and Users is that Groups cannot be disabled (Enabled property always returns true). Also, a group can hold many types of properties that add/remove users and other groups. You can also add Profiles, Workflow Roles, and Positions.
Notes
In the thread below, we will demonstrate how to create Select Security Groups and use them. As is usual, we will be omitting the validation steps that should be part of any production code. For example, you should test return types when using filtering operations so you don't add null to a collection.
Permissions can be set to deny access as well but we will not go into that here. More information is available on-line by starting Select, pressing F1, then searching for security.
Create a Security Group
The minimum requirement to create a security group is to get a new group object from Select, set a few string properties, then save the group.
public void CreateSecurityGroups(SelectServer ss)
{
// Create new Select group and set properties.
var secMgr = ss.GetService<ISecurityManager>();
ISecurityGroup group = secMgr.NewGroup(new SelectIdentityDescriptor());
group.Description = "The Group Description";
group.Name = "The Group Name";
group.FullName = "The Group FullNname";
AddGroupCollections(); // We'll talk about this later.
secMgr.ApplyChanges(group);
}
This results in the following new group being created in Select. The "AddGroupCollections" method will be defined below. Comment it out for now if you try to run this code.
Typically we want to see if our currently logged in user is a member of a Security Group. In this example, I don't care if the user has been added to the group directly or if another group of users has been added to our target group. The code below gets the current user and gets all the groups that they are a part of. (Put in a breakpoint here and take a look at all the groups.)
Lastly we filter the list of groups to look for our target group we just created - "The Group Name". We return true if we are a group member.
public bool IsMatch(SelectServer ss)
{
// Get current user's sec ID.
var secMgr = ss.GetService<ISecurityManager>();
ISecurityIdentity user = secMgr.Identities
.Where(i => i.ID == secMgr.CurrentSecurityIdentityID)
.FirstOrDefault();
// Filter system identities from results (remove Automation and System users)
IList<ISecurityIdentity> userGroups = secMgr.Identities
.Where(t => !t.IsSystem && !t.Deleted && t.IsGroup)
.HavingMember(user, InheritanceBehavior.All)
.ToList();
// See if our current user is in the target group and return result.
return userGroups.Any(t => t.IsGroup && t.Name == "The Group Name");
}
Note: HavingMember() Method
In all the code I have written in ten years, I have never cared how the user was included in the group. But if you care...
InheritanceBehavior.Direct - Only returns groups where the user is in the target group's "Members" tab.
InheritanceBehavior.Inherited - Only returns groups where the user is member of a "group" is in the target group's "Members" tab.
InheritanceBehavior.All - Return groups where user or group including user is in the target group's "Members" tab.