5 Replies Latest reply on Feb 12, 2009 9:02 PM by allotrope

    Issue with get(privilegesetname)

    allotrope

      Title

      Issue with get(privilegesetname)

      Post

      I have a script that needs to set values in fields that are restricted via privilege set (external authentication). Only the administrator has write access to these fields. In order for regular users to set the values I need to run the script with full privileges. My problem is that only one group of users is allowed to run this script but I can't test using get(privilegesetname) since it will always evaluate to "Fulll Access" since the script is running under full access.

       

      The only way I can get around this conundrum is to set their privilege set as a global and test the global when running the script. But how can I protect this field from being  modified manually by the users? They simply have to place the field on one of the layouts to which they have editing access and they can edit the value to give themselves access. Using a variable is a little more secure but only because there is no easy way to get the variable name (once they find out the variable name, they can get around the security).

       

      Is there a secure way to do this? Or is the variable the only way available?

        • 1. Re: Issue with get(privilegesetname)
          Orlando
            

          Hi allotrope

           

          That is quite an interesting issue with that Get function, I had not noticed it before.

           

          Having had a quick test a way around this would be for you to setup a separate Sub-script that simply had the step Set Variable [ $$Privilege ; get ( PrivilegeSetName ) ] and so not set the 'Run script with full access privileges' option.

           

          Call this script using the Perform Script step before doing the test on the users Privilege set and then test on the global variable $$Privilege

           

          That is one way around it.

          • 2. Re: Issue with get(privilegesetname)
            allotrope
              

            Hi Orlando,

             

            Yes, that is more or less what I described in my message. But the user still has a way to access and modify that variable. My users have limited access to certain layouts and have the ability to create new layouts as well as new scripts (so they can create new label layouts, reports etc and scripts to run them). They only have access to their scripts but even with these limited permissions, they can easily circumvent the security model that we are proposing.

            • 3. Re: Issue with get(privilegesetname)
              Orlando
                

              Are all the customisable actions related to print layouts and Reports?

               

              Another option to think about may be to give them a separate Interface File for there printing and reporting, they can modify as much as they like, not affect the main system which remains completely locked down.

               

              You could then have Report tables you import the required data into so they can modify calcs etc without affecting the main data.

               

              Just a thought.

              • 4. Re: Issue with get(privilegesetname)
                comment_1
                  

                You need two scripts, for example:

                 

                If [  Get (PrivilegeSetName) = <something> ]

                Perform Script [ SubScript ]

                End If

                 

                Set only the subscript to run with full privileges.

                 

                 

                In version 8 and above you can do this a bit more elegantly:

                 

                Perform Script [ Check Privileges ]

                If  [ Get (ScriptResult) = <something> ]

                # Do some stuff

                End If

                 

                Here, the main script is set to run with full privileges. The subscript  'Check Privileges' does only this:

                 

                Exit Script [ Result: Get (PrivilegeSetName) ]

                • 5. Re: Issue with get(privilegesetname)
                  allotrope
                    

                  Very elegant solution "Comment". At first blush it seems to solve my problem. Thank you.

                   

                  Orlando, we do use the data sepearated model for most of our stuff but not all, and some reports are just easier to do in the table.