6 Replies Latest reply on Jan 16, 2012 5:54 PM by Twistan

    How to retrieve the privilege set belonging to a specific account ?

    Twistan

      Title

      How to retrieve the privilege set belonging to a specific account ?

      Post

      Hello,

      I am working on a script for a stand-alone FM11 database to revert passwords.

      My database has 4 privilege sets:

      Level 1: [Read Only], FM default set

      Level 2 : [Edit Data Only], FM default set

      Level 3: Limited Admin, custom privileges, no design privileges

      Level 4 : Full Access,  FM default set

      Only level 3 and 4 shall be allowed to revert passwords. Level 1 and 2 users can only change their own current password.

      However, I have to prevent level 3 users from changing the password of level 4 accounts.

       

      Is there a way how to retrieve the privilege set belonging to a specific account (without first creating searchable records with the user accounts and their privileges) ?

      Thanks for sharing your knowledge and experience.

      Twistan

       

        • 1. Re: How to retrieve the privilege set belonging to a specific account ?
          Sorbsbuster

          We do it by creating a table of custom-added account names, password, and privilege sets.  Apart from allowing users to change their own password after logging in, how are you achieving that anyone can change another user's password (with no separate table)?  If you are using the 'Reset Account Password' script step then it only runs for users who have full access privileges, so if they do have, then they can change any password.  If they don't have full privileges then you have to check the box 'Run with full access...', and then if you use the script step 'Get (PrivilegeSet ) is will return 'Full Access', so that's no help to you.

          If you are only ever going to use this one file, entirely under your control, the you could hard-code into the script the various user names that are allowed to do the various things.  However if the users keep changing, or there are more than a few, or there will be copies that you will not be the direct controller of, I'd just create another table.

          Maybe someone else has a neater answer to Get the privilege set of a user not actually logged in

          • 2. Re: How to retrieve the privilege set belonging to a specific account ?
            Twistan

            Thanks again for your thoughts.

            Just as an addendum, I use the Change Password script (as opposed to Revert Password) for level 1 and 2 users, so that they can only change their own current password.

            Of course, if  Level 3 users do not know the name of the Level 4 account(s) they would not be able to revert the passwords of Full Access Level 4 accounts because they have to enter the account name.

            Still, unless there are important security ramifications, it would be very practical to be able to retrieve the privileges belonging to a specific account.

            Regards,

            Twistan

            • 3. Re: How to retrieve the privilege set belonging to a specific account ?
              Sorbsbuster

              "I use the Change Password script (as opposed to Revert Password) for level 1 and 2 users" - be careful - you could have let them do that without any script.  So have you disabled that feature for the other privilege sets (in their Privilege Set definition)?

              • 4. Re: How to retrieve the privilege set belonging to a specific account ?
                Twistan

                Hi,

                sorry for the late response but I was working on a controlled script to create new records.

                Because of the problem that, when clicking on the background or when leaving fields, FM brings up the vexing commit record dialogue, I did some research and I found the following DevCon video by Todd Geist, which I can recommend to all readers: 

                http://www.geistinteractive.com/2011/08/09/understanding-commit-record-video/

                It demonstrates vert nicely how and when FM commits/saves edits.

                In regard to your comment: I prefer to disable most if not all FM menu commands and I also disable the toolbar, including the new Quick Search, which I found quite useless because it does not find search terms when they only occur in the middle of a word. Therefore I do not want to use the menu change password command.

                 

                Regards,

                Twistan

                • 5. Re: How to retrieve the privilege set belonging to a specific account ?
                  Sorbsbuster

                  I'm not sure where you think I was coming from - I was only trying to point out that just because the File -> Change Password menu command isn't visible doesn't mean that they can't change their password.  They can still opt to change their password at log-on, unless that option has been disabled in their privilege set.

                  • 6. Re: How to retrieve the privilege set belonging to a specific account ?
                    Twistan

                    Thanks again, yes, I was aware of the possibility to change one's password at log-in.

                    To solve the initial problem that I described I think that I need to create a separate table which stores accounts and privilege sets just as you suggested before.

                    I have not found another way of doing this.

                     

                    Regards,

                    Twistan