12 Replies Latest reply on Jan 23, 2015 6:53 AM by ishulman

    Working with Privilege Sets

    ishulman

      Title

      Working with Privilege Sets

      Post

      I'm using Filemaker Pro 11 on a Mac and trying to create privilege sets for my group of users in a health services practice. None of them has any experience with Filemaker. I would like to achieve two outcomes. I'll discuss my progress & the challenges with each separately.

      1. I want the name of the doctor who is logging in (the user) to be displayed in a welcome message once they log in. Using File Options, login triggers the script: Insert Current User Name [Select; Client Contacts 2008::User]. "User" is a text field, auto-entered, based on the calculation "User = Get(AccountName)".

      The process works only when I (the sole person having full access) log in. Otherwise, it returns the result <No Access>

      2. Once logged in, my users (the treating clinicians) get to a landing page that will ask them which patient records they want to access. I want my users to have the choice of a) entering the name of a specific patient into some form of search field or b) selecting the name of the patient they want from a list of all of their patients. I don't know how to create either the search tool or the list.

      I've spent the last 3 hours going in circles reading various forum posts and Help topics, including 

      http://forums.filemaker.com/posts/7175149dfbhttp://forums.filemaker.com/posts/663e8f0772, and "Entering a formula for limiting access on a record-by-record basis" and am confused.

      I have created a Privilege Set called "Untrained Users" with privileges set as in the image below. When it comes to accessing records, the custom privileges are that "Untrained Users" can view (Yes), edit (Yes) and edit (All) fields, but cannot create or delete records.

      Any assistance would be greatly appreciated. Thanks.

      Edit_Privilege_Set.png

        • 1. Re: Working with Privilege Sets
          ishulman

          Let me try to repost the image.

          • 2. Re: Working with Privilege Sets
            philmodjunk

            1. What you describe makes no sense. What does that script do exactly? An auto-entered account name is a field option that kicks in when you create a new record or modify a field in the same record referenced in the auto-enter calculation. This is neither a script nor something that is likely to have any effect. Did you set up a "lock expression" in custom privileges that refers to the current user's account name? Even then, any record for which the lock expression does not permit access will display as "No Access". It's typically necessary for a startup script to perform some kind of find in order to hide the "No access" records from view. Note that any find performed by a script or by the user will automatically omit "no access" records.

            You can find examples of such a "find script" in the thread you refer to in you original post: Limiting access to a new users

            2. For more examples of scripted finds, see: Scripted Find Examples You can, for an example, add a global field to your layout formatted with a drop down list. Selecting a value or typing one end can perform a find for patient records. A conditional value list can be set up that only lists patients for which the current user is permitted access.

            When it comes to accessing records, the custom privileges are that "Untrained Users" can view (Yes), edit (Yes) and edit (All) fields, but cannot create or delete records.

            And what options did you select for your layouts?

            And I can also see that you've selected "minimum" in the available menu commands drop down. In many cases, this is too tightly limited a set of menu commands and often fools new developers into thinking that they have the wrong access permissions when they simply have too tightly limited the available menu commands. You may want to test your limited access accounts with a different option in this menu to see what difference it makes.

            • 3. Re: Working with Privilege Sets
              ishulman

              Thanks for getting back to me.

              The script is set to run at login and serves to forward users with specific privilege sets to specific layouts. Because none of my users have any FM experience, my goal is to limit their access to layouts and menu functions as much as possible. All they'll really be doing is searching out their own patient's records and dropping a report into a container file. They might also update patient contact information, but that will be it.

              Specifying lock expressions is well above my skill set. I'm looking for simple solutions. So, how would I make it so the user's name appears in a welcome message?

               

              • 4. Re: Working with Privilege Sets
                philmodjunk

                First, User name and account name are not the same thing. User names are specified for the FileMaker application and are specific to the computer user set. They are specified in Preferences. Account names are defined in Manage | Security. Just to confuse this, FileMaker takes the current USER name and inserts it into the login box for ACCOUNT name as the default account name when you log in.

                So Insert Current User Name has no direct connection to what account name is specified when opening the file. Script steps that start with Insert also fail silently to work (no error message interrupts your script) if the specified field (Client Contacts 2008::User) is not present on the current layout when the script step is executed. And what kind of field is "User"?

                In any case, that script step has no effect whatsoever on whether the user will be see data or a "No access" screen obscuring the data. Presumably, the "no access" result is due to custom privileges settings that you have specified for records and tables--but this is not a screenshot that you have uploaded for this privilege set.

                The script you describe should take the user to the desired layout and show the contents of the User field specified in the script, IF the user field is on that layout and IF the user field was accessible on the current layout at the moment the Insert Script step executed. (I use Set field instead of Insert unless that option is not possible for what I want to do. Set Field [ Client Contacts 2008::User ; Get ( UserName ) ] will put the current user name into the field in cases where insert will fail and without tripping any script triggers that might be set on the field. Get ( AccountName ) can be used to insert the user's account name instead of the computer's user name.

                PS. Given that you describe this as "patient data", I don't think you have much choice but to set up a Lock Expression limiting user access to only those patient records that user is authorized to see. Otherwise you could have serious legal repercussions due to violating patient privacy.

                • 5. Re: Working with Privilege Sets
                  ishulman

                  I'm still struggling with this, though it seems basic. Here is the new script and a screenshot of the custom layout privileges for  The "Untrained Users" privilege set. The 2 highlighted layouts are the only ones I think such users will need at present. I'll also post separately a screenshot of the records privileges for that same privilege set. From where I sit, that should work, but it doesn't.

                  What's happening now is that whether I log in with my Full Access privileges OR with the Untrained Users privileges, the following message is displayed at login:  "This action cannot be performed because this field is not modifiable."

                   

                  • 6. Re: Working with Privilege Sets
                    ishulman
                    /files/7482144012/Privelege_Set.png 1152x872
                    • 7. Re: Working with Privilege Sets
                      philmodjunk

                      This wasn't what I asked for. Notice that under "records", "custom privileges..." have been selected. I need to see a screen shot of that dialog which is why my last post included this text:

                      Presumably, the "no access" result is due to custom privileges settings that you have specified for records and tables--but this is not a screenshot that you have uploaded for this privilege set.

                       "This action cannot be performed because this field is not modifiable."

                      Sounds like this field is a calculation field and such cannot be used in your script to set a value. You really shouldn't need to do this anyway, but if this were a field of type text, you would not get this error message.

                      • 8. Re: Working with Privilege Sets
                        ishulman

                        Thanks Phil. You were correct. I had the field "User" set to be a calculation. Changing it to a text field resolved that issue.

                        Regarding the permissions for Untrained Users, the info you're asking about is indeed present in the image above. Untrained Users can currently view and edit records, and I'm allowing them to access all fields. However, I'm not allowing them to create or delete new records.

                        Regarding the other issues:

                        A) How do you recommend I script/establish a Lock Expression to limit Dr. Jones to seeing only those patients whose "Treating Clinician" field = Dr. Jones? (When I look up Lock Expression in the Help file all I see is info on locking objects into place on a layout).

                        B) Regarding search fields to help users find their patients: I currently have a field called "Full Name" that is a calculation

                        = First Name & " " & Middle Name & " " & Last Name

                        If I set the option for Full Name  to "Use Global Storage" can I then include the Full Name field onto my layout so users can enter any portion of their patients' names and search from there?

                        C) An alternative to a single search field would be a list that displays particular fields from a patient record (e.g., First, middle , last name, parent's name, dates seen) that users can click on to take them to that particular record. How can I set that up on the layout?

                        • 9. Re: Working with Privilege Sets
                          philmodjunk

                          No, you have not uploaded what I asked for. There's a dialog that opens when you select Custom Privileges in the Records drop down. That is where you apparently have a limitation on what records/tables are accessible as this is how you get a screen with "no access" obscuring the data.

                          • 10. Re: Working with Privilege Sets
                            ishulman
                            /files/63d3caa41a/Custom_Privileges_for_Records.png 1332x1558
                            • 11. Re: Working with Privilege Sets
                              philmodjunk

                              That's puzzling. I see no way that the access permissions shown can possibly produce a layout that displays the "no access" screen when you open the layout....

                              That typically happens when "no" or "limited" is specified in the "View" column.

                              • 12. Re: Working with Privilege Sets
                                ishulman

                                Hi Phil. You were correct... the <No Access> issue resolved when I changed the field "User" from a calculation back to a text field.

                                 

                                Are you able to comment on these questions from my Jan 20 post?

                                1) How do you recommend I script/establish a Lock Expression to limit Dr. Jones to seeing only those patients whose "Treating Clinician" field = Dr. Jones? (When I look up Lock Expression in the Help file all I see is info on locking objects into place on a layout).

                                 

                                2) Regarding search fields to help users find their patients: I currently have a field called "Full Name" that is a calculation

                                = First Name & " " & Middle Name & " " & Last Name

                                If I set the option for the "Full Name" field  to "Use Global Storage" can I then include the "Full Name" field onto my layout so users can enter any portion of their patients' names and search from there?

                                 

                                3) An alternative to a single search field would be to have a list that automatically displays the names of all of a particular doctor's patients so docs can then click on the one they need and go directly to that record. How can I set up a list like that on the layout?

                                Thanks for your input.