User Guide
Overview of User Security 357
Overview of User Security
User security authenticates users when they log into a ColdFusion application, and
then assigns privileges based on group membership or other criteria that you
determine. For example, suppose you use ColdFusion to build and host your
company’s intranet. The Human Resources department maintains a page on the
intranet on which all employees can access timely information about the company,
such as the latest company policies, upcoming events, and job postings. You want
everyone to be able to read the information, but you want only certain authorized
Human Resources employees to be able to add, update, or delete information.
In addition, you might want to let employees view customized information about
their salaries, job levels, and performance reviews. You certainly would not want one
employee to view sensitive information about another employee, but you would
want managers to be able to see, and possibly update, information about their direct
reports. User security authenticates and authorizes users each time that they try to
access or work with sensitive data.
User security is made up of two components:
• Security contexts, configured on the Advanced Security page of the ColdFusion
Administrator. A security context provides the framework against which to
authenticate and authorize users.
• Code you write in your application pages that checks against a security context to
see whether a user is allowed to access a particular resource and then takes
appropriate action.
Before you can implement user security in your applications, you must make sure
that your ColdFusion administrator installed Advanced Security on the server and
configured the appropriate security framework for your application. After the
security framework is in place, you can code security features into your ColdFusion
applications. For detailed information about installing Advanced Security and
setting up a security framework, see Advanced ColdFusion Administration.