1 2 Previous Next 15 Replies Latest reply on Dec 16, 2016 11:35 AM by JackRodges

    Privilege to not start any scripts

    carlsson

      I have a couple of users that have View only on some layouts. They can look, but not touch. However, I would also like them to NOT be able to start any scripts from those layouts!

       

      As it is today, I have to check the privilege set in a script, or to hide objects for certain priv sets.

       

      Is there any way to make this in a better way? Anyone else that feels the need for his?

       

      Maybe a new Priv set "View and not touch".

        • 1. Re: Privilege to not start any scripts
          coherentkris

          you have control of scripts (execute only, modifiable, no access) in permission sets

          • 2. Re: Privilege to not start any scripts
            carlsson

            Yes, but not also in which layouts, right?

             

            Ie, I want a user to work with all privs in one layout, but only view in another. And not be able to trigger scripts in that layout.

             

            Example: Anna is at Customer Service. She needs to work with *all* privileges in the Customer Service layout. But she also needs to look at invoices, but not trigger any invoice related scripts.

            • 3. Re: Privilege to not start any scripts
              coherentkris

              security does not tie scripts to layouts for management.

              It is script alone.

              What you can do is put a check for Get ( layoutName ) or Get (Accountname) at the beginning of any of the trouble scripts that exits script without doing anything if the layout is sensitive.

              Another option is to create scripts specifically for the problem layouts and then you can restrict permissions in security i.e one permission set that has priv to run the scripts and one that does not.

              thers probably other ways to skin this cat but these were the first two that came to mind.

              • 4. Re: Privilege to not start any scripts
                JackRodges

                If you use buttons only to trigger scripts, you can use the Hide feature and hide a button for specified privileges sets. This is similar to using the IF conditions in a script but hiding the button is nicer since the user never sees it.

                 

                IF you need help, I can submit a screen shot of the editor. Or just do Command+I and select the rightmost table and look for the Hide When field.

                • 5. Re: Privilege to not start any scripts
                  carlsson

                  Thanks, as I wrote that is one example of a workaround.

                   

                  Let's say you have 20 different groups and 10 of those should be able to start the scripts, and you have 15 buttons on a layout, it will soon be extremely messy to do all the hide coding and keep track of it. A privilege set feature would be much better.

                  • 6. Re: Privilege to not start any scripts
                    Markus Schneider

                    You allready have that - just create 'roles' for specific usecases and allow users/roles to run scripts or not. Scripts are NOT dependent  on layouts, so there is no way to achieve this via priviledges - and that has to be this way, a script goes over several layouts... ie from a list view with one item of the list to an output layout, prints, etc.

                     

                    There are several ways to help in Your situation...

                     

                    - maybe overthinking the concept/structure

                     

                    - You could have a button-bar showing all buttons/options, but only some of them are active for the current user, showed by a special color

                     

                    - You could have those buttons in a popover - showing only allowed items/buttons for specific users

                     

                    - (much more)

                    1 of 1 people found this helpful
                    • 7. Re: Privilege to not start any scripts
                      philmodjunk

                      You might be able to reduce some complexity by using extended privileges.

                       

                      Example: for all privilege sets of users allowed to perform scripts on a given layout, assign them all to the same extended privilege. Now you need only check for that one extended privilege instead of multiple privilege sets.

                      1 of 1 people found this helpful
                      • 8. Re: Privilege to not start any scripts
                        carlsson

                        Thanks for all the answers!

                         

                        It's obvious to me that I'm the only one in need of this, or I haven't explained the problem good enough. All workarounds suggested are already tested and implemented in one way or the other. But they are still workarounds (as I see it).

                         

                        Thanks though!

                        • 9. Re: Privilege to not start any scripts
                          Markus Schneider

                          You could have a 'settings' table with a list of layouts-to-go-per-user with entries for each user. When scripts were fired, just check out that table/user -> so, You have this kind of permission

                          • 10. Re: Privilege to not start any scripts
                            coherentkris

                            Security by obfuscation is not really secure.

                            • 11. Re: Privilege to not start any scripts
                              philmodjunk

                              Security by obfuscation is not really secure.But UI methods may be an appropriate way to improve the user experience if that is the main reason for doing this. That's not a question that can be answered from the information posted here.

                               

                              Speaking to the original issue. I think all understand what you want but you are asking for a feature that does not exist. A few of us should have read your original post more carefully to avoid suggesting things that you listed as already using, but you aren't going to get a way to do what you want with the current version of FileMaker. I will point out that my post here does not use a method that you mentioned in your original post. Checking for a single extended privilege to see if a script should be run or a button should be visible will be less complex than checking to see if the user's current privilege set name is one of a group of privilege sets.

                               

                              That said, even IF you could set this up in Manage | Security, you'd likely still be using some combination of these work arounds. Most validation rules and security settings allow the user to try to exceed their limits and show some kind of error after they have made such an attempt. We thus often resort to additional UI methods--not to enforce security, but to provide the user with a better user experience. Clicking a button and getting a message that the user's access permissions do not allow you to use a script really isn't as user friendly as a button that simply isn't there to click or that has a greyed out label and is non-responsive to the user.

                               

                              So you'd end up with UI level methods backed up by Manage | Security even if that were an option for you.

                              1 of 1 people found this helpful
                              • 12. Re: Privilege to not start any scripts
                                JackRodges

                                A trigger script can be dependent on a layout

                                • on layout enter
                                • on layout modify
                                • on layout size change
                                • on layout mode change

                                 

                                Hmm, thinking about this which often leads to disastrous waste of time having discovered problems, a layout could tie scripts to inself using the on layout enter which might be what the quester is interested in.

                                • 13. Re: Privilege to not start any scripts
                                  JackRodges

                                  I've found the simplest way to AVOID the problem is when needed to create layouts for specific privilege sets and then the buttons and menus assigned will only be accessed by the appropriate persons.

                                   

                                  The script opening the layout would check for privilege set and if not appropriate call the CEO.

                                  • 14. Re: Privilege to not start any scripts
                                    ninja

                                    Oh, you are TOTALLY not the only one in need of this.

                                     

                                    Just do a thread search on "Privilege Subsets"...When users have multiple roles, and may be crosstrained, the number of combinations goes exponential and makes you revisit your entire security schema

                                    1 2 Previous Next