11 Replies Latest reply on Jun 24, 2010 2:52 PM by precociousninja

    Privileges based on data

    precociousninja

      Title

      Privileges based on data

      Post

      I am using Filemaker 10 on mac OS 10.5.8

       

      I am a beginner to intermediate user of the software and I have a question about privilege sets.

       

      Here is the situation: I have a database where I store tourdates, show info, as well as a ton of other information for several bands on the record label that I work for.  The problem is, I want certain users to be able to see the data that pertains only to their band.  

       

      For Instance, Band A can only access the records that have the "Band A" selected in a drop down menu field.  And cannot see any other records that have Band B or Band C chosen.  Is there any way to manipulate the privilege sets so that they can be based on the data in a specific field?  Am I going about this in the wrong way?

       

      I know I could make a totally different database for the each band, but I'm not certain that that is what I want to do seeing as this database is related to several other databases I have created.  Please let me know how I should be thinking about this if I am incorrect.  

       

      Thanks,

       

      pn

        • 1. Re: Privileges based on data
          philmodjunk

          I strongly recommend that you not make separate database files for each band. That will greatly multiply your work load. You can set up record level access privileges that limit the records a user can see provided each table includes a field that identifies who can see that record.

           

          In your case, You'd give all the members from "Band A", the same account name, "Band A" and set access privileges up with the expression.

           

          Get (Account Name ) = table::BandName

           

          For more on this approach, look up "Entering a formula for limiting access on a record-by-record basis" in the Filemaker Help system.

          • 2. Re: Privileges based on data
            aammondd

            Im not sure about using privilege sets for data driven security but there are ways to implement it but will require a bit of work to secure. 

             

            I

            • 3. Re: Privileges based on data
              aammondd

              How  sophisitcated can you make the limited calculation rather than use all the same login they just need the same privilege set

               

              You would need to create an access control list  that would join on the table key and contain the user name

              Then you could limit based on get(accountname) = accesslist:username

              is there a reason why it wouldnt work then you could build an access control list by username.

              The record would already be related to the accesscontrol list by its key item.

               

               

               

               

               

              • 4. Re: Privileges based on data
                philmodjunk

                Good point. Now that I think about it, I wouldn't use an account name for this.

                • 5. Re: Privileges based on data
                  aammondd

                  Yeah you can create some really neat things with Access control lists like this.

                   

                  you could then use  joins to have this same list filter multiple records

                   

                  You just need to set up the access control list with the proper values.

                   

                  • 6. Re: Privileges based on data
                    philmodjunk

                    On the other hand, if you have a relatively small user base, it may be easier to name the privilege sets after the bands and compare privilege set name to the band name to control access.

                    • 7. Re: Privileges based on data
                      aammondd

                      but why limit yourself in the design like that?

                       

                       

                      • 8. Re: Privileges based on data
                        precociousninja

                        Seems that there is some dispute on the best way to solve this issue.  aammondd, would you be willing to detail the method in which to create the access control list as well as the table key if this is what you believe to be the best solution?  TBH I'm not following your idea very well at all, and if it IS in fact the answer I would very much like to learn and use this method.  Unless Phil has any more retorts that is.

                         

                        Thanks again,

                         

                        pn

                        • 9. Re: Privileges based on data
                          philmodjunk

                          aammondd wrote:

                          but why limit yourself in the design like that?


                          It's a design trade off. If your solution is fairly small and not likely to involve large numbers of users, setting up a check against the privilege set name is much simpler and quick to set up. If your user base should grow in the future, you haven't prevented yourself in any way from switiching to that approach in the future.
                          • 10. Re: Privileges based on data
                            aammondd

                            YOu create a table called , for lack of a better term, AccessControlList

                            It has the following fields

                            ControlValueText

                            *ControlValueNumber

                            *ControlValueDate

                            *ControlValueTimestamp

                            Username

                            * = optional fields that can be used later

                            You then Join this table to your Band Table by BandName = ControlValueText

                             

                            Then you set up a new privilege set and in the Records portion you use custom access

                            under the band table you would then under view and edit options select limted

                            which will bring up a calculation dialog

                            In that calculation dialog you will use the following calc

                             

                            Get(AccountName) = AccessControlList::Username

                             

                            This is just one portion of the overall setup of your solution but should give you a start 

                             

                            You need to populate the Access Control List  ControlValueText with the BandName and the username combinations that they will access.

                             

                            You can then join  this AccessControlList table to a number of tables by the matching field  and then setup the privilege set to limit based on the same calc as above

                             

                            You should also be able to create sets of data in intermediate tables and join them  You could for example create a table  that  groups Venues by Route

                            Then join that table to the venue table and the access control list table this Route  table and then only have to plug in a single route entry per user and it would filter the venues based on the access control list. 

                             

                            thats the concept at least.

                            • 11. Re: Privileges based on data
                              precociousninja

                              I have finally gotten around to attempting to implementing this solution into my database but I have some questions.  

                               

                              First of all I started by following the instructions exactly as they were written by aammondd which involved me adding a bandname table as well as the accesscontrollist table,  and connecting them by the filed as described.  I then was able to set up the privilage set based on the accesscontrollist calculation as it was written.  

                               

                              The next step is what is confusing me.  I am now to populate the controltext with the band name and user name combinations and then connect the controltext with the records I already had via it's same key field.  Why did I make the bandname table?  Do I then need to set the privilages for each user to the specific calculation as aforementioned?  

                               

                              I think my confusion may stem from the fact that I am not sure how the software recognizes these privilege sets.

                               

                              Thanks, pn