10 Replies Latest reply on Jun 2, 2017 2:56 AM by wimdecorte

    Edit Security Privileges through Script

    JulioSandoval

      Hello Everyone,

       

      I have been trying to figure out if FileMaker can even do this.

       

      I have been using the Account Script steps to create new accounts as needed.

       

      My questions is pretty straight; Can I also edit account privileges via a script step?

       

      I have not found one but wondering if anyone has figured something out?

       

      Thanks.

        • 1. Re: Edit Security Privileges through Script
          Jason Wood

          You cannot edit a privilege set by script.

           

          What do you actually want to do? There is almost certainly a better way.

          • 2. Re: Edit Security Privileges through Script
            JulioSandoval

            The ability to edit someones current privilege by a script.

            I currently have a script that adds a user and their account privilege is set by a script.

             

            So without having the someone log in to the Security section, I wanted to know if we can edit privileges via a script.

             

            If not, is there a way to limit a user to only edit Security Privileges that are stated?

            Or are they required to be a full privilege user? [Full Access]

             

            The problem I see here is, how does a non-admin user manage security levels of other users without having the [Full Access] privileges?

            • 3. Re: Edit Security Privileges through Script
              Jason Wood

              What do you mean by "manage security levels"? Give an example.

               

              If your privilege sets are designed correctly, there should be no need to modify them regularly.

              • 4. Re: Edit Security Privileges through Script
                JulioSandoval

                I have the following privileges;

                 

                Inspector

                Outreach

                Office Admin

                 

                What if I need to switch the inspector to perform Outreach roles, that would currently require someone log in to the Security Options, and manually change someone with Inspector privileges to Outreach.

                • 5. Re: Edit Security Privileges through Script
                  keywords

                  For very sound reasons security settings can only be set and altered by a user with Full Access privileges; this user is usually the database administrator. If you need someone other than you to be able to perform this function then you are handing them the master key, so they need to be well trained.

                  • 6. Re: Edit Security Privileges through Script
                    wimdecorte

                    That would be a violation of the role-based security principles.  If an inspector needs to do outreach tasks then that is really a 4th role in your lineup.

                    • 7. Re: Edit Security Privileges through Script
                      Jason Wood

                      The best way would be to use external authentication and then you can set the group name through the operating system (or on the directory server).

                       

                      But it can be done by script - you need to delete and recreate the account.

                       

                      The user whose account is being modified will have to enter their password for this to be possible. Basically you use a custom dialog to take the username and password and put them in global fields. Use re-login to validate the credentials. If the re-login is successful, delete the account and then create an identical account with the new privilege set.

                       

                      If the user is not present, you either have to 1) recreate the account with a temporary password that the user can then change, or 2), design a table to store these change requests and make your login script check for these instructions on login, to guide the user through the process.

                       

                      Obviously I've left out all the important bits about controlling who can actually do this!

                      • 8. Re: Edit Security Privileges through Script
                        JulioSandoval

                        External Auth would work great, but they sometimes use an offline mobile file which uses a third party Sync process.

                         

                        I can't delete user accounts because performance metrics go out the window.

                         

                        I guess adding a duplicate user but with a prefix to determine Outreach or Inspector and vice versa would have to be a solution.

                         

                        I wonder if FileMaker will give this ability in the future. Because forcing us to give the Master Key to someone just for them to change/edit privileges seems a bit extreme. And I am not saying that they need to be able to change all roles, I am just saying the ability to assign what roles can be changed and which ones not once they are set.

                         

                        Thank you all for your responses. Appreciate it greatly.

                        • 9. Re: Edit Security Privileges through Script
                          keywords

                          Re: "forcing us to give the Master Key to someone just for them to change/edit privileges seems a bit extreme"

                          You make it sound as if "change/edit privileges" is a minor matter. It is not, and shouldn't be considered thus.

                          1 of 1 people found this helpful
                          • 10. Re: Edit Security Privileges through Script
                            wimdecorte

                            JulioSandoval wrote:

                             

                             

                            I wonder if FileMaker will give this ability in the future. Because forcing us to give the Master Key to someone just for them to change/edit privileges seems a bit extreme. And I am not saying that they need to be able to change all roles, I am just saying the ability to assign what roles can be changed and which ones not once they are set.

                             

                            Highly unlikely that FM will give you this ability in the future.  It would be a potential security nightmare if scripting can be leveraged to change the actual priv set.

                             

                            As I mentioned before I think the solution is not in the actual mechanics of how FM attaches priv sets (roles) to accounts, but in how your roles are defined.   If a user needs two roles then that means that a new role has not been defined.  Create a new unique priv set that fits the needs to that user needed role.

                            1 of 1 people found this helpful