1. Field of the Invention
The invention relates generally to techniques for controlling access to components of a highly-configurable system for controlling processes.
2. Description of Related Art
Whenever data is shared by a number of users of a system implemented by programming a computer, provision must be made for limiting access by the users to the data. That is generally done by defining permissions indicating how an item of data may be accessed and giving a user only those permissions that are required for his or her function. For example, in a file system, the classic permissions are read, write, and execute. read permits the user to read the file, write to modify the file, and if the file is a program file, execute permits the user to execute the file. A particular user may have any combination of the permissions with regard to a particular file. Thus, the author of a program may have read, write, and execute permissions with regard to the program file, while a user of the program may have only the execute permission.
In the configurable process control system described in the parent of the present patent application, part of what could be configured was permissions. The mechanism for doing so was to relate users of the system to projects and to relate each member of a project to a group within the project. Each group had a group category which determined the permissions for the members of the group. There were two broad categories of permissions: overall permissions regarding the process records for a process being controlled by the system and Can View and Can Edit permissions regarding user-defined fields in the process records and in certain other tables. These permissions were defined for the different group categories. In the configurable process control system of the parent, who could view a process record was further limited only by project membership. Each process record belonged to a project and any member of a project could view the process records for his or her project.
While the foregoing arrangements were adequate for some purposes, they were inadequate for others; in particular, they did not sufficiently limit the users who could view process records nor did they distinguish between creating or deleting a value for a user-defined field and modifying an existing value. It is an object of the inventions disclosed herein to solve these problems of the system disclosed in the parent of the present application and other such systems.