1 2 Previous Next 17 Replies Latest reply on Dec 19, 2012 7:30 PM by AlanChu

    Allow a user to have access to a subset of data

    jlwayne

      What steps should I take to allow a user on my team to have access to only a subset of a large data file. This file is a list of all recorded time on hundreds of projects. I want the user to only be able to Find/Create data with his user ID.

        • 1. Re: Allow a user to have access to a subset of data
          peterbouma

          You can handle this by means of the Privilege Set associated with someone's login account. The nice thing is that Filemaker effectively makes records unfindable if you're not allowed to see them.

           

          Let's assume:

          - userID is a field in table RecordedTime

          - the user ID is also in a global variable $$userID, which is set at login (startup script)

           

          Then:

          - go to Manage>Security..., tab Privilege sets

          - create a new Privilege Set, let's call it 'User restricted'

          - assign general privileges, like some access to layouts, scripts, printing etc., appropriate for this type of end user

          - click the popup menu next to Records: (top left), choose Custom Privileges...

          - select the RecordedTime table

          - on the bottom there's a popup menu under 'View', select option 'Limited...'

          - create a calculation that establishes the restriction, e.g.

           

                    RecordedTime::userID = $$userID

           

          - make sure the calculation is evaluated from the right context, in this case RecordedTime, otherwise there will never be a match resulting in 'true'.

           

          - Assign the new privilege set to any account that needs it.

           

          HTH

          Peter Bouma

          • 2. Re: Allow a user to have access to a subset of data
            jlwayne

            This was very helpful. Thank you.

             

            However, after setting this up, when I open the file under that specified user all the data that he should not be able to see is not invisible, it is all present but each field says <No Access>. Can I make the restricted records invisible?

            • 3. Re: Allow a user to have access to a subset of data
              Stephen Huston

              That final level of Record Level Access (RLA) control is usually implemented with scripting. I have done it by taking users to a pre-defined set of records they are allowed to see, such as a Find on user ID.

               

              You can also customize the Find command to run a script which takes their request but appends the info of their user ID as a final embedded option when they execute the Find, so that records without their ID are not included.

               

              You do have to control things such as the Show All and Show Omitted processes as well to completely hide the <No Access> records from users with restricted access.

               

              It would be really nice if FM implemented a record not even visible option for RLA controls. The <No Access> info does the trick of hiding restricted data, just not very elegantly when used alone.

              • 4. Re: Allow a user to have access to a subset of data
                Mike_Mitchell

                Stephen is correct. In order to suppress the somewhat perplexing <No Access> display, you'll need to use scripting. In addition to his good suggestions, may I offer the use of an OnRecordLoad Script Trigger that omits the current record if the user doesn't have access. This can be effective to prevent users from scrolling into records they shouldn't see.

                 

                HTH

                 

                Mike

                 

                P. S. And I also agree with Stephen. It would be nice if FMI would implement a way to do that automatically.   

                • 5. Re: Allow a user to have access to a subset of data
                  comment

                  Stephen Huston wrote:

                   

                  You can also customize the Find command to run a script which takes their request but appends the info of their user ID as a final embedded option when they execute the Find, so that records without their ID are not included.

                   

                  There is no need for this. Any find will automatically omit records to which user has no access (as already explained in the first reply by Peter). OTOH, you need to deprive your users of the opportunity to use the Show All Records command.

                  • 6. Re: Allow a user to have access to a subset of data
                    usbc

                    "OTOH, you need to deprive your users of the opportunity to use the Show All Records command."

                    and I suppose the "Show Omitted"

                     

                    Omit on RecordLoad:

                    Curious if one would get screen flashing etc. on Win machines if a large set is found.

                    • 7. Re: Allow a user to have access to a subset of data
                      Mike_Mitchell

                      On the question about OnRecordLoad - are you thinking if you're in a List or Table View?

                       

                      If so, I'd say try it and see. I've never thought to try it in those views; been mostly interested in Form View for that application. As has been pointed out, performing a Find automatically removes any record to which the user doesn't have access, and if you trap Show All and Show Omitted ... well, it might not matter.

                       

                      Mike

                      • 8. Re: Allow a user to have access to a subset of data
                        comment

                        usbc wrote:

                         

                        and I suppose the "Show Omitted"

                         

                        Indeed -  thanks for catching that.

                         

                         

                        usbc wrote:

                         

                        Omit on RecordLoad:

                         

                        That would be too late if you are in List or Table view. It would also mess up the record count.

                        • 9. Re: Allow a user to have access to a subset of data
                          peterbouma

                          Actually, FM displaying records you're not allowed to see anyway, tagged <no access> or whatever, or even the overall total record count, is 'almost' a bug IMHO. Think of a mail server: are you ever interested in the total number of e-mails your mail server has handled today? No thanks, please only the ones with my name on them, that I haven't received already. Keeping track of the total number of records in a database may be temporarily useful for a database administrator, or someone doing a conversion, but never to an end user. The Find All (and Show Omitted) command should function like any other Find: do not display what you're not supposed to see anyway. Has this been submitted as a feature request?

                          Of course, we have tools to solve this: just capture menu/keyboard commands like Find All/cmd-J using Custom Menus, and replace them with scripted Finds. Still, it feels like a workaround that shouldn't be necessary. Omitting records in an OnRecordLoad script is ugly. In list or table view, they wil visibly disappear one by one.

                          Peter

                          • 10. Re: Allow a user to have access to a subset of data
                            LyndsayHowarth

                            If instead your privilege set is set with a realtionship rather than you finding and omitting records, you can restrict your user from only ever finding his records... including in any record count.

                             

                            All this find and omit is less secure and make the job a lot bigger by needing to trap for all the possible errors.

                             

                            - Lyndsay

                            • 11. Re: Allow a user to have access to a subset of data
                              Mike_Mitchell

                              I'd tend to agree.

                               

                              But what it "should" do, versus what it does do ... well, we have to work with the latter.   

                               

                              Mike

                              • 12. Re: Allow a user to have access to a subset of data
                                Mike_Mitchell

                                Lyndsay -

                                 

                                Embed the calculation as a relational predicate?

                                 

                                Mike

                                • 13. Re: Allow a user to have access to a subset of data
                                  LyndsayHowarth

                                  Hi Mike,

                                   

                                  Yes... precisely...

                                   

                                  If the condition ifor seeing the files is that thieir UserID (or account name) matches related records only... then that is all the user will ever see... his or her own records via that relationship.

                                   

                                  Another thing you can do if you are going the find-omit route is customise the Show all Records menu item and have it perform a partial find based on the UserID instead of it's standard behaviour.

                                   

                                  - Lyndsay

                                  • 14. Re: Allow a user to have access to a subset of data
                                    Mike_Mitchell

                                    Thanks, Lyndsay.

                                     

                                    Been thinking about this one. But I'm a little confused. How do you set up the relationship so this works? Through a single-record table and a portal? Or do you try to set up a one-to-one relationship and keep the two tables synchronized?

                                     

                                    I don't think I'm getting this ...  

                                     

                                    Mike

                                    1 2 Previous Next