14 Replies Latest reply on Oct 31, 2016 11:30 AM by BillisSaved

    How to limit record access with find and global variables?

    user26705

      I am attempting to deploy a multi-user solution that heavily relies on FM WebDirect and Go.  The long and short of it is that there are multiple companies using the solution and each company has multiple users.  Each company has a unique CompanyID and it is used to enforce referential integrity across all tables in the solution.  The goal is to limit users to records in each table that are for their specific CompanyID.

       

      In researching this I have found that this is supported, but that you end up with <No Access> in the layout for those records the user isn't authorized to view.  Obviously this is a really bad user experience and from what I have seen you have to implement a "Find" to eliminate the <No Access> records.  I am not sure how this prevents the user from doing a "show all" then seeing the <No Access> or if this will limit their Find abilities using FM's native Find capabilities.

       

      Issue #1

       

      My first issue is how do I stop the show all behavior and still allow the user to use the power of Find in FM?  More importantly, there are several pre-defined "Finds" we do and then we want to do a "Show All" but obviously not if it is going to show the <No Access> labels. 

       

      Issue #2

       

      In regards to Global Variables, does anyone have suggestions in using them in this scenario?  Do I use them in all my tables for CompanyID?  If so, doesn't that change the CompanyID to a single value?  Do I just use them in a single table to manage session context?  If so, again, what if I have 50 users from five different companies - won't the session table have a single value for all the users?

       

      Sorry for the long message - but this has been a pain - seems like FM should have a much more granular security model and not require code arounds.  In this day and age, this is a major requirement for security.

       

      Any advice is highly appreciated - if there are better ways to accomplish this - please let me know.  I am under a really tight deadline so if you have sample articles/solutions - please let me know.

       

      Happy Halloween Everyone - FM...security = spooky! ;0)

       

      p.s - I am using FP Pro Advanced.

        • 1. Re: How to limit record access with find and global variables?
          wimdecorte

          If you use Record Level Access in the privilege set then you can safely give the users native find functionality; FM is smart enough to remove the "no access" records from the found set...

          • 2. Re: How to limit record access with find and global variables?
            user26705

            Thank you for the quick reply - just curious though - if the user hits "Show All" doesn't that then bring back the "<No Access>" issues?

            • 3. Re: How to limit record access with find and global variables?
              thomas_staehli

              How about a custom menu set that would simply replace the "Show all" native behaviour and do a search on company ID?

              1 of 1 people found this helpful
              • 4. Re: How to limit record access with find and global variables?
                user26705

                I thought about that but was really really hoping there was a better option - this reminds of using dBase III back in the day...seems like it should be much easier to enforce record level security and not rely on developers to roll their own...

                 

                I will give the custom menus and custom finds a shot - still trying to figure out Global Variables.

                • 5. Re: How to limit record access with find and global variables?
                  thomas_staehli

                  As far as Global Variables are concerned, yes they can be used as session parameters. You could have a global table that you use only for those session utility fields. You could also use global variable instead if you don't want to create the extra table.

                   

                  I guess you also must have a table with all the users details (including the companyID he's assigned to). At login set a global field with the company ID of the user who just logged-in. You can then use that global field every time the user uses the "Show all" function from the custom menu, no matter what table the user is currently looking at.

                  • 6. Re: How to limit record access with find and global variables?
                    wimdecorte

                    Using custom menus is not rolling your own security though... the security is enforced by the RLA calc in the security scheme - and that's exactly where you want it.

                     

                    All that is required to make the "show all" limit to what the user can see is to do a find on the primary key for "=" with omit.  Very simple and fast.

                     

                    In a multi-tenant solution like you have you are going to need to override a lot of the standard menus anyway so this is a trivial thing to do.

                    1 of 1 people found this helpful
                    • 7. Re: How to limit record access with find and global variables?
                      BillisSaved

                      Good morning user26705,

                       

                      I hope your day is going well. I haven't tried this suggestion, but I think it would work. You should be able to use the "Hide Object When" calculation field on the Data tab of the inspector for the fields and associated labels you mentioned. For example:

                       

                      Get ( RecordAccess ) ≠ 2

                       

                      That should hide the < No Access > message even when the user selects Show All records. Something you may want to investigate before you implement this method, assuming it works, is how the implementation of this calculation may affect Web Direct performance. I know that conditional formatting adds additional overhead to the communications with FileMaker Server and also can increase the frequency of these communications, which may impact the performance of your solution. I hope this was helpful. Have a great day!

                       

                       

                      EDIT: You might be better served by using Perform Script On Server ( PSOS ) to loop through the found set and omitting the inaccessible records, that should eliminate blank spaces on your layout.

                       

                      God bless,

                       

                       

                      Bill

                      • 8. Re: How to limit record access with find and global variables?
                        BruceRobertson

                        PSOS will accomplish nothing here.

                        It is exactly that; a script performed on the server.

                        It has no relation to the user's found set.

                        • 9. Re: How to limit record access with find and global variables?
                          BillisSaved

                          Good morning Thomas,

                           

                          I hope your day is going well. I didn't think custom menus were supported in WebDirect or FileMaker Go? Has that changed? Thanks and have a great day!

                           

                          EDIT: My mistake, custom menus do have limited support in FileMaker Go.

                           

                          God bless,

                           

                           

                          Bill

                          • 10. Re: How to limit record access with find and global variables?
                            BillisSaved

                            Good morning BruceRobertson,

                             

                            I hope your day is going well. Couldn't you use an event to trigger a script on the server to loop through the found set and omit the records that have restricted access? Is there a reason that wouldn't work? Thanks and have a great day!

                             

                            God bless,

                             

                             

                            Bill

                            • 11. Re: How to limit record access with find and global variables?
                              wimdecorte

                              BizPraxis wrote:

                               

                              Couldn't you use an event to trigger a script on the server to loop through the found set and omit the records that have restricted access? Is there a reason that wouldn't work?

                               

                              As Bruce said: a PSoS script runs in a separate user session on the server, it does not touch the found set for the user who fires off the PSoS.

                              • 12. Re: How to limit record access with find and global variables?
                                BillisSaved

                                Good afternoon wimdecorte,

                                 

                                I hope your day is going well. Thanks for the clarification! This is relatively new territory for me, so I apologize in advance for my ignorance, but I want to be sure I understand. Are you saying that if I navigate to a layout and run a script that does the following, it won't return the expected results (i.e. a found set omitting all <No Access> records):

                                 

                                PSOS

                                show all records

                                go to record [first]

                                set variable [$ID; Value: "Primary Key"]

                                loop

                                If [ Get ( RecordAccess ) ≠ 2 ]

                                omit record

                                end if

                                If [ $ID = Primary Key ]

                                go to record/request/page [next; exit after last ]

                                set variable [$ID; Value: "Primary Key"]

                                end loop

                                end if

                                end loop

                                 

                                I didn't actually write and test a script using the logic above, I just wanted to illustrate my thought process. Hopefully this example is complete enough to help you, or someone else on this thread, help me understand what I'm missing. Thanks in advance for your help! Have a great day!

                                 

                                God bless,

                                 

                                 

                                Bill

                                • 13. Re: How to limit record access with find and global variables?
                                  philmodjunk

                                  When you run a PSOS script, it's as though you have a new user log in from their computer and do the steps specified in the script. The only way this affects what the client that runs the PSOS script is if you set the PSOS to return a script result back to the client or by modifying data that the client can then find. A found set produced by the PSOS script will separate from any found set on the Client's layouts.

                                   

                                  All you need is a script like this to take the place of Show All Records:

                                   

                                  Enter Find Mode []

                                  Set Field [YourTable::YourPrimaryKey ; "*" ]
                                  Set Error Capture [on]

                                  Perform Find[]

                                   

                                  Any find in the client's session that is performed by them or by a script will automatically omit all "no access" records.

                                  1 of 1 people found this helpful
                                  • 14. Re: How to limit record access with find and global variables?
                                    BillisSaved

                                    Good afternoon philmodjunk,

                                     

                                    I hope your day is going well. Thanks to you, and everyone else, for the clarification. Have a great day!

                                     

                                    God bless,

                                     

                                     

                                    Bill