8 Replies Latest reply on Oct 31, 2012 4:38 PM by johnhorner

    Privilege Sets, Relationships, and Script Full Access Privileges

    johnhorner

      Title

      Privilege Sets, Relationships, and Script Full Access Privileges

      Post

           I am having a problem... i have a privilege set which is defined to restrict certain users from seeing certain invoices.  that seems to be working as i would expect... i think?  the invoices are not actually invisible to the user (for example, they are included in the record count in the status bar), but if they navigate to one of them, all of the fields in the layout display "no access".  not a problem.  i have a script for creating new records which is set to run with full access privileges.  this script relies on relationships between the invoice table and other tables to function properly.  the problem arises when the new invoice script is launched.  if the user launches the new invoice script while sitting on an invoice record to which they don't have access, then none of the relationships seem to be valid which are relied upon by the script to function properly even though it is set to run with full access privileges.  is this expected behavior?  the workaround i have implemented is simply to perform a find to records that the user has permission to view before initiating the rest of the script but this seems a little odd... any thoughts?  Thanks!

        • 1. Re: Privilege Sets, Relationships, and Script Full Access Privileges
          philmodjunk

               Are the relationships to tables in the same file or tables in a different file? "Run with full access" only applies to the current file and does not enable the script to access restricted data in other files.

          • 2. Re: Privilege Sets, Relationships, and Script Full Access Privileges
            johnhorner

                 hmmmm... good question.  the file is built upon the data separation model.  but even the users with restricted access to certain invoices have full access to the fields in a global temp field table that i am attempting to access (i am not trying to view or manipulate any restricted fields).  however these temp fields are specified in the script using a relationship from invoices to the global temp table with the "x" operator (there is only one record in the global temp table).  so it seems like what is happening is that if the user is sitting on a restricted invoice when they launch the script, the relationship will not work (i get an empty value if i look at it with the data viewer during debugging... whereas it works fine if they are sitting on a permitted invoice).  it is not that difficult to work around, i can simply go to a different layout based on the global temp fields to which everyone has complete access, get what i need, and come back again, but it was not what i would have expected since no restricted data is being compromised.  am i correct in assuming that this is what is actually happening or is there possibly some other reason the relationship is not working (it works fine, of course, with full access privileges)?  thanks!

            • 3. Re: Privilege Sets, Relationships, and Script Full Access Privileges
              philmodjunk

                   It's hard to know with out examining your file, but I suspect that the record level access restrictions do not evaluate to "true" for the related temp table when the current record is restricted. If so, your system is performing as it was designed to work--just not as you want it to work.

              • 4. Re: Privilege Sets, Relationships, and Script Full Access Privileges
                johnhorner

                     that sems to be my luck!

                • 5. Re: Privilege Sets, Relationships, and Script Full Access Privileges
                  philmodjunk

                       And am I correct that you have access restrictions set on the tables in the data file and not just on the table occurrences defined in the interface file?

                       If you do not set record level access restrictions in your data file--but instead set them in the interface file, I would think that your run with full access privileges script would work.

                  • 6. Re: Privilege Sets, Relationships, and Script Full Access Privileges
                    johnhorner

                         you are correct. user accounts and the associated privilege sets are stored in the data file.  you have already exceeded the limits of my knowledge about accounts and privilege sets.  i didn't know you could control access to fields in the data file from the user interface... if that is what you are saying?  how would i do that?  when i go to manage>security>privilege sets>data access and design>records, for example, it only lists tables in the user interface.

                         in trying to figure it out i went to the "file access" tab in security where i have never been before but i became even more confused.  it states that "only authorized files can access tables, scripts, and other elements of this file".  but in my data file i have not authorized my user interface file and it does access everything that it says i won't be able to.  i am clearly not understanding something about this...?  help?

                    • 7. Re: Privilege Sets, Relationships, and Script Full Access Privileges
                      philmodjunk

                           Darn! You are correct about the limits to access security. I had made a quick check in one of my multi-file solutions before posting that last response and was fooled by similar table names into thinking that I was seeing a list of table occurrences in the Custom Privileges set up.

                           I suggest using a global field in the data file to temporarily unlock access to data in a table.

                           If you had this for a record lock expression:

                           FieldA = "Fred"

                           Change it to be:

                           FieldA = "Fred" OR Globals::gUnlock

                           Where you define gUnlock as a number field with global storage.

                           Then your script can unlock access to data in that table with this code:

                           #Unlock the table
                           Set Field [Globals::gUnlock ; True ]
                           Commit records

                           #Do your stuff that requires access to the table here

                           #Lock the table
                           Set Field [Globals::gUnlock ; False ]

                           I'm not sure if you really need the commit records step so you can experiment to see if it makes a difference here or not.

                      • 8. Re: Privilege Sets, Relationships, and Script Full Access Privileges
                        johnhorner

                             ahhhhh... very clever... that will do it!  thanks again.

                             p.s. any idea what the "file access" tab is actually for in security?  the explanation in the tab window doesn't seem to make sense.