Collection Security

I have set up users, usergroups and access control lists for my test database. The way I interpreted the documentation was as long as these were setup an anonymous user could not access you database. The test I’m using is typing the following URL into my browser and seeing if it will let me in.

http://tamino.qatar.tamu.edu/tamino/tamuqtest/TAMUQ.SMSMessageV2/xcard/@2

As of right now it lets me in without objection. Any suggestions on what I may be missing? Thanks for your help.

In case anybody else makes the same mistake do the following:

- log into system management hub
- select tamino > databases > yourDatabase > properties > XML
- Modify authentication from server to Tamino

Hello,

first of all you will need to use some kind of authentication if you want security in Tamino. The way your server seems to be set up right now, you are not using any authentication, otherwise the browser should certainly prompt for a userid and password when sending requests to Tamino.

If you don’t have either the web server nor Tamino do any authentication, then all requests coming to Tamino will be assigned to the default group.

As far as I can see, the name of your database is “tamuqtest” and in the collection ino:security (http://tamino.qatar.tamu.edu/tamino/tamuqtest/ino:security?_xql=/ino:group) there is no group with that name, which means that you don’t have a default group defined, which in term means that all users assigned to the default group have no access limitations and can therefore access all data in your database.

regards,
Heiko Weber