3 Replies Latest reply on Jan 10, 2013 9:53 AM by philmodjunk

    Setting up Privileges for IWP - Newbie Question

    RayGerman

      Title

      Setting up Privileges for IWP - Newbie Question

      Post

           Hello,

           There are some very bright minds on this forum. So, I thought I would run this up the flag pole with you guys and see if anyone had any thoughts.

           I am creating a Employee Assesment Database - There will be some sensitive information in the database, so I need to be careful how I set up the security.

           In a nutshell, I have a Finance department that will have full privliges to the database. Each record in the database is for an individual employee. I will then have several Department Managers that will only have access to records for employees under their managment. Department Managers will not be able to edit the fields entered by the Finance Department. I am sure I can achive latter by using one layout for the Finance Department and another for each Department Manager.

           The real question is should I make a seperate table for each Department Manager that only contains records for their employees and control access that way  or is their an easier way, I am not aware of... remember I am new at this :)

           I really dont want a Manger from a different department to see records for an employee not under their managment.

           Any input is welcome...

           Thanks,

           Ray

            

            

        • 1. Re: Setting up Privileges for IWP - Newbie Question
          philmodjunk

               You really, reallly, really DO NOT want to use a separate table for each manager. Any organization restructuring that adds another manager would require a major design update to your database--just to name the most obvious problem with that approach.

               Instead there are ways to use Manage | Security to set up privilege sets for your users that limit their access to a specific group of records, layouts, scripts.

               To start, see "Editing record access privileges" in FileMaker Help and check out this particular sub section: "Entering a formula for limiting access on a record-by-record basis" for a description of how to set this up.

          • 2. Re: Setting up Privileges for IWP - Newbie Question
            RayGerman

                 Phil,

                 Wow! Thank you!!! You saved me from decending into bad database creation hell. I tested your instructions and they worked perfectly.

                 I created a field and a value list for each department. I then created my users and assigned them to the custom privliges set which keys off the department value list.

                 One problem,  Even though I set the view to limited under Custom Record Privliges keying off of the (Department field and value list I created). A user in the Development Department privlige set can still browse the other records they do not have permission to... although all the fields in these records state no access which is good. I just would rather them not see the record at all.

                 Is there a way I can hide a records not related to the specific department. It may be that I did not use the correct formula in my calculation for the record privlige set. I am attaching a screen shot.

                  

                 Any thoughts?

                  

                 Thanks,

                 Ray

            • 3. Re: Setting up Privileges for IWP - Newbie Question
              philmodjunk

                   There are two levels to record level access control. The limits you set in Manage | security and (sometims) field validation settings. These take place at the "data level" and make sure that folks can't access stuff for which they are not authorized.

                   The next level is to design your user interface to keep the users from bruising their noses on the limitations these settings have imposted.

                   The key thing that you can exploit is that any find performed automatically omits any "no access" records from the found set. Thus you can set your database file to automatically perform a find as part of the process of opening the file (see File Options for the needed trigger setting) and it will drop out all the "no access" records. You can also set up scripts that do this when the user clicks a button to access a specific layout

                   Here's a script that finds all accessible records. __pkPrimaryKey is what I am calling a field set to auto-enter a serial number or Get ( UUID ). What's required is some field that is never empty in any record in the table.

                   Enter Find mode []--->clear the pause checkbox
                   Set Field [YourTable::__pkPrimaryKey ; "*"]
                   Set Error Capture [on]
                   Perform Find[]

                   Note that this can function as a "Show All Records" script, but which actually shows all PERMITTED records...

                   Here's a similar script, but it only drops the "no access" records from the current found set instead of finding all records:

                   Enter Find mode []--->clear the pause checkbox
                   Set Field [YourTable::__pkPrimaryKey ; "*"]
                   Set Error Capture [on]
                   Constrian Found Set[]

                   And this script would show all omitted records that are also permitted:

                   Show Omitted Records Only
                   Enter Find mode []--->clear the pause checkbox
                   Set Field [YourTable::__pkPrimaryKey ; "*"]
                   Set Error Capture [on]
                   Constrian Found Set[]

                   And if you have FileMaker Advanced, you can (I think*) set up a custom menu where selecting "Show All" or "Show Omitted Only" actually performs one of these scripts instead of FileMaker's built in operation.

                   *I haven't tried this in IWP, but it works with FileMaker Pro users so I would expect it to work via IWP. Try it and see.

                   If yo do not have FileMaker Advanced to use to install custom menus, you can try hding/locking the status area and then put your own buttons across the top of the layout to perform these actions (this is how we did it before we had custom menus as an option.)