restricting access to admin usergroup?

Hi Ray, I created a security > access groups called admin. In my user database I have usergroups 1 and 2. 1 for customers, 2 for admins. In the admin access groups I added all the emails of those who are admins. The issue is that once anyone is logged in, I can't restrict access to admin pages. The customers need to be logged in to be able to see the wholesale catalog. I am not sure I am going about this correctly. My DB has tables for usergroups and users. In users, I also have a field for user groups, but when I created administration pages in the wizards, the server behaviors do not see the user group field. When I try to add dynamic text to the behaviors, it doesn't show that usergroup field. The wizard said something about the fields not matching and some would be dropped. but my table field names match the one WA created. https://www.screencast.com/t/wrh8Uvm4Mvj

You should update your login page to store the access group in the session. Then you can create a rule based on the value of the session variable for admin and customers.

Do I have to rerun the entire security access wizard to do that? I keep looking in server behaviors and bindings but don't see a way to add it.

BTW.... switching from root to relative on the site preferences makes all your wizards run a lot faster. Go figure!

No, just open the authenticate user server behavior on the login page and then update the security assist rule directly from the webassist menu.

You almost never re-enter a wizard once it has run.

thanks. I think I would need an example of what you are saying or a more complete explanation. I went to the auth user behavior and then to SA>Authenticate User and it seems if I add usergroup to this, it would exclude customers. It would apply the rule to all logins. Maybe I should just set up a separate login for admin pages?

You add the usergroup in the Save Value tab, not in the Filter tab. It just saves that value in the session so you can use it in your security assist rule when you want to.

You could do separate logins if you wanted.

I have the same problem and therefore write my post here instead of creating a new one.

I want restrict access to my admin pages. So that only those who are logged in as admin can access these pages (userGroupID: 1). I have tried to understand how this works, but it's not working.

I have two different Security Pages on my site. One is in the admin folder. and the other is directly in the root for users (I do not know if this is optimal, or how to do this otherwise).

Table Usergroup. This is what my usergroup table looks like. (fig1.png)
-
# 1. registration.php (for users): Here I have assigned the value 2 to UserGroupID in the insert record. (fig2.png)
-
# 2. login.php. Here I have assigned UserGroupID the same session name as UserID. (fig3.png)
-
# 3. I have created two groups from Access Group Manager. Group 1: Name: admin, Member: admin. Group 2: Name: user, Member: user. (fig4.png, fig5.png)
-
# 4. I have duplicated "Logged in to users" from Access Rules Manager. I have named this new rule: "Logged in as admin". I have chosen "In group" as Criteria, and "admin" as Compare to. (fig6.png)
-
# 5. I have opened a page that I want to restrict access to (in admin folder). Then I chose WebAssist -> SecurityAssist -> SecurePage. Then I have selected "Logged in as admin" as a rule grant access if, and a default page as if access denied. (fig7.png)
-
# 6. If I want to change this rule, it says "Not Logged in as admin" as grant access if. Why? This is not true and is confusing. I just assigned it to "Logged in as admin".(fig8.png)

Are these steps correct, or have I missed something?

You can delete your access groups. Since you have two types of user that are identified with a single session variable, groups is over-complicating it.

You can just use three access rules without groups. Groups is for creating lists of users and grouping them... like if you wanted users 4,8,10 to be admin. You are already grouping your users in your database and saving the group in the session.

Your access rules could just be:

Admin = Allow if: session variable SecurityAssist_UserID has value = 1
User = Allow if: session variable SecurityAssist_UserID has value = 2
Logged In = Allow if: session variable SecurityAssist_UserID does not equal "" (blank)

Sorry, but I do not understand. If I just set $ _SESSION ['SecurityAssist_UserID'] to 1, there will be no change. The idea is right. That is, 1 should be for admin. But here's something missing? See picture.

On your login page, update your Authenticate User server behavior to save the user group value in the session. Then you can use that session variable to differentiate between groups in your security assist rules.