13 Replies Latest reply on Dec 16, 2016 10:27 AM by philmodjunk

    Multiple Privilege Sets Under One Login

    asoria

      Is there a way to allow multiple privilege sets for one login? We have multiple "locations" in one database, and managers and supervisors may only access the location they are assigned to. The problem is that we have some managers that need to be able to access multiple locations. We have a data table where I assign the location they may access, but if I try to add more than one it defaults to only allow access to the first one chosen. What are we doing wrong? Is there a better way to do what we want?

       

      For example:

      Login1- only access to Location A

      Login2- only access to Location B

      Login3- needs access to Location A and B

       

      To get around it, we've created Login3 for A, and Login3B for access to B... but I'd really like to figure out how to give access under just one login.

       

      Thank you in advance for your help!

        • 1. Re: Multiple Privilege Sets Under One Login
          philmodjunk

          You should be able to make this work in the Record level access calculation in a number of ways to avoid the need for multiple accounts and multiple privilege sets aren't an option for a single account.

           

          Say you have a user preferences table with a text field formatted with a check box group to list all locations where you can click check boxes to select which locations are permitted for that user.

           

          Then this expression could be used to control access at the record level:

           

          Not IsEmpty ( FilterValues ( CheckboxField ; Location ) )

           

          You can use either a relationship to match to this field in the user table or a start up script can find this record and set a global field to the value of this check box field so that your record access expressions can refer to the global field.

          1 of 1 people found this helpful
          • 2. Re: Multiple Privilege Sets Under One Login
            mikebeargie

            No, you can only assign one privilege set to one account at any given time. To be able to have multiple locations at once for one account, you need to customize your own privilege system.

             

            For Example:

            • Create table "Privileges", with "AccountName" and "Location" fields.
            • Create a record where AccountName = "Login1" and "Location" = A
            • Create a record where AccountName = "Login2" and "Location" = B
            • Create a record where AccountName = "Login3" and "Location" = A
            • Create a record where AccountName = "Login3" and "Location" = B

             

            Then add this to your OnFirstWindowOpen script:

            Set Variable [ $$Locations ; ExecuteSQL("SELECT Location FROM Privileges WHERE AccountName = ?";"";"";Get(AccountName)]

            If [ IsEmpty ( $$Locations ) ]

                Show Custom Dialog [ "Error" ; "You do not have any permissions to view location data" ]

                Exit Application

            End If

            Now when you are logged in, you will always have a global variable of $$Locations that you can reference to determine record-level permissions.

             

            So you could make a navigation script like this:

            Enter Find Mode [ no pause ]

            Go To Layout [ Locations ]

            Loop

               Set Variable [ $i ; $i + 1 ]

               Set Field [ Locations::Location ; GetValue ( $$Locations ; $i ) ]

               Exit Loop If [ ValueCount($$Locations) >= $i ]

               New Record/Request/Page

            End Loop

            Perform Find

            That would find on the Locations layout for the locations the user has access to.

             

            Additionally you could make permissions in the privilege set that denies access with calculations like:

            PatternCount ( $$Locations ; Locations::Location ) > 0

            That would only allow them to view a record when the record data matched in some way.

            • 3. Re: Multiple Privilege Sets Under One Login
              philmodjunk

              I would not use PatternCount for that.

               

              Imagine two locations: "Warehouse" and "Warehouse B", Consider the possible failures. That's why I used a return separated list and the Filtervalues function in my suggestion. It's just a bit safer to use in this type of thing.

              • 4. Re: Multiple Privilege Sets Under One Login
                mikebeargie

                Noted, I always use a recursive custom function for list matching as filtervalues also has some drawbacks. But I didn’t want to explain such functions for simple demo purposes.

                • 5. Re: Multiple Privilege Sets Under One Login
                  philmodjunk

                  The only drawback I can think of is the added return issue and using IsEmpty allows for that without the need for recursion. Do you know something that I don't here?

                  • 6. Re: Multiple Privilege Sets Under One Login
                    mikebeargie

                    FilterValues() is slow on large lists since it consumes the entire list rather than stopping when there is a match. PatternCount() runs faster than it, even if it also consumes the entire list, Position() is even faster though.

                     

                    I’ve been using the modifications (see comments) on this function:

                    https://www.briandunning.com/cf/1174

                    with good success for speeding up matches in large lists.

                     

                    I use FilterValues() for filtering a list of values out of larger lists, but not for match identification.

                     

                    I normally use PatternCount() when I know that the pattern will be unique in a small set of values.

                    • 7. Re: Multiple Privilege Sets Under One Login
                      philmodjunk

                      These are very unlikely concerns for this specific case as the location list is likely too small for it to matter. and I've seen this trick recommended:

                       

                      Filtervalues ( Singlevalue ; List )

                       

                      instead of FilterValues ( List ; SingleValue )

                       

                      as a way to improve performance for long lists. Never tested it to see if it's actually faster or not, but then most of the lists that I'm testing are well under a hundred items and not part of a larger "batch" process that might need to do this over and over again and thus this really doesn't become an issue for me.

                       

                      And if you are going to recommend Patterncount like this, please note the possible "false positive" failures that might occur with it. Otherwise, someone reading your suggestion might just put themselves in the way of a problem without knowing why it failed for them.

                      • 8. Re: Multiple Privilege Sets Under One Login
                        asoria

                        Thanks so much! Worked perfectly!!

                        • 9. Re: Multiple Privilege Sets Under One Login
                          user19752

                          These are very unlikely concerns for this specific case as the location list is likely too small for it to matter. and I've seen this trick recommended:

                           

                          Filtervalues ( Singlevalue ; List )

                           

                          instead of FilterValues ( List ; SingleValue )

                          There is difference in result that 1st keep case of singlevalue, 2nd get single value from list with case insensitive as some thing like normalize.

                          • 10. Re: Multiple Privilege Sets Under One Login
                            philmodjunk

                            That makes no sense. It may have been mixed up during translation.

                             

                            And FIlterValues is not case sensitive in any "case".

                            • 11. Re: Multiple Privilege Sets Under One Login
                              user19752

                              Yes, the difference is no matter in this thread that comparing to empty

                              I only notified it, thinking about both have its use case. Longer list first is used to sort values in value list.

                              • 12. Re: Multiple Privilege Sets Under One Login
                                Malcolm

                                I get what user19752 means.  It's probably easier to show with examples:

                                 

                                FilterValues ( textToFilter ; filterValues )

                                 

                                if you follow the documentation literally you may do this:

                                 

                                filtervalues ( "abba" ; list ( "Abba";"ABBA") )

                                 

                                Result: "abba"

                                 

                                However, you may pass a list of values for testing, and you may test against a single item. In this second case we are testing all of the elements in the list against a single word.

                                 

                                filtervalues ( list ( "Abba";"ABBA") ; "abba" )

                                 

                                Result : Abba

                                ABBA

                                 

                                You are right philmodjunk, the matching is not case sensitive and it always returns the string/s that were successfully matched.

                                • 13. Re: Multiple Privilege Sets Under One Login
                                  philmodjunk

                                  Ok, but for privilege sets and account names, that should not cause a problem. Account names are also not case sensitive and I've always assumed the case was also true form privilege set names--though I've never tested that, can't imagine using two privilege sets where case is the only difference anyway so it's never been an issue for any of my projects.