Access control and permissions

In this section, we'll go over how you can secure Form Runner and Form Builder. For access control, Orbeon Forms leverages and delegates some work to external security infrastructure. In particular, you define users and their roles/group outside of Orbeon Forms.

Access control touches on the following:

• Form definitions – Which users (in this case also known as form authors), can create, edit, or view form definitions.

• Published forms – Which users can access a deployed form? If they can access the form, what operations (such as creating, viewing, editing, deleting) are allowed?

• Form fields – If users can access the form, can she access a particular field or group of fields? If so, can the field be changed or just viewed?

The following pages address specific topics:

• - How to setup Orbeon Forms so that users and roles are provided.

• - Optional user menu for providing links to login and logout functions.

• - How to control access to deployed forms.

• - How to control access to specific form fields based on the user user's roles.

• - How to control access to Form Builder.

• - Access based on ownership and groups.

• – Access based on organizational structure.

• - Token-based permissions