Configuring System Environments > Menu Extension Configuration File > Setting Menu Extension Security
  
Setting Menu Extension Security
With the <SecurityConstraint> element, you can define a key that specifies a group of roles and users that are subject to a security constraint. You can then refer to that key as an attribute in a <ShellMenu> or <ShellMenuItem> element, which specify the external menus and menu items. In this way, you can limit the availability of menus or menu items.
For example, you could define an admin security constraint key that applies to some roles (admin, qadadmin) and users (mfg), as follows:
 
<SecurityConstraint key="admin" constraint="allow">
<Role>admin</Role>
<Role>qadadmin</Role>
<User>mfg</User>
</SecurityConstraint>
With the constraint attribute set to allow, only the admin roles or users can access menus defined in a <ShellMenu> element that includes a security attribute set to admin:
<
ShellMenu key="images" menuType="application" label="Example Menu" security="admin">
...
</ShellMenu>
Use of the security attribute in <ShellMenu> is optional, so if it is not used there are no security constraints on that particular menu set.
With the above setup, you will see Example Menu and everything under it in the QAD .NET UI only if you are the user mfg or have the admin or qadadmin roles.
The menu extension configuration file does not define the roles and users in the system; it only identifies the ones to which it applies security constraints.
You can also define a security constraint key with constraint=deny. In this case, the roles and users in the security constraint key definition are denied access to any <ShellMenu> (or <ShellMenuItem>) element with the security attribute set to that key. Further, those roles and users are denied access to any items defined below the initially denied element in the hierarchy, even if another security constraint key further down in the hierarchy has been set that allows them access.
You can control how the menu extension configuration file gets applied depending on how it is named and where you put it, which can affect how security constraints are applied.