Full Access Privileges Control Block

Idea created by Malcolm on Oct 30, 2017


    Scripts can be set to run with full access privileges. I would like to do the same for a block of steps within a script, giving several script steps the higher privileges.


    Why this idea is important

    User privileges play an important role in data security. Providing an alternative method for controlling privileges within a script gives the developer greater control and makes it easier to implement strong security settings.


    Use cases

    In a system that makes use of privilege sets we quickly discover that the rules are not black and white. For instance, in general we may not want to allow one group to delete records. However, there will always be exceptions to this rule. Perhaps they can be allowed to delete records that have an incomplete data set, or any other reason.


    We can already do this by creating rules within the privilege set which handle these cases. Unfortunately complex rules in the privilege set can have an adverse affect on the performance of the database. Sometimes it is necessary to create fields which are used to manage these business rules. In some cases it is much easier to say that the group is not allowed to delete any records and then control any exceptions to the rules through scripts.


    When writing the scripts that manage these processes we typically write a set of small scripts that perform a single task, such as delete a record, and we give these scripts the ability to run with full access privileges. Then, within a script running with normal privileges, if the conditions are right, we use the Perform Script step to call the script that will run at full access privileges. It would be simpler and easier, during scripting, if we could simply wrap one or more script steps in a "Run with Full Access Privileges" block.