3 Replies Latest reply on Jun 16, 2013 8:06 AM by disabled_jackrodgers

    Privilege Problem: View the records by login name and group in a large database

    AlanChu

      I'm working with a project for different group of people to view the records by privilege.

       

      Here are the details:

       

      Database Structure

      TO: User

      Fields:

      UserLogin; #Note: using the OD name

      UserID;

      Group;

       

      Sample Data:

       

      UserLoginUserID
      Group
      AaronManagerAA
      BrendaManagerBB
      OliverStaff01A
      EvaStaff02B
      OscarStaff03A
      EstherStaff04B

       

       

      TO: DataFile

      Fields:

      Viewable User

      Contents

       

      Sample Data:

       

      Viewable UserContents
      ManagerB/Staff02Brenda order; Eva follow
      Staff04/Staff02Esther request; Eva reply
      Staff03/Staff01Oscar do one; Oliver do the other
      ManagerAAaron do all
      Staff03Oscar do his own
      Staff04Esther do her own

       

       

      Privilege Set:

      Full Access; #Only the Admin can access all records

      Manager; #The managers can access their own group. ie. all the records with "Viewable User" of "DataFile" belongs to the "Group"

      Own; #The user can access their own records when field "UserID" exists in the field "Viewable User"

       

      I put Brenda and Aaron into the privilege set "Manager" and the others into "Own"

       

      I would like to do the followings:

      1. When the member of "Manager" login, he/she can view all the records of "DataFile" belongs to their own group only;
      2. When the member of "Own" login, he/she can view only the records of "DataFile" which the "Viewable User" contains his/her UserID;
      3. Avoid the "<no access>" records being displayed by using faster method to show the records (around 200,000), instead using the perform find(field,"*") which I tried.

       

      Does anyone can help me to solve this problem?

       

      Thanks in advance!

        • 2. Re: Privilege Problem: View the records by login name and group in a large database
          LyndsayHowarth

          Hi Alan,

           

          In the User record you have the definition of what each can see....

          1. UserID (which is poorly named... perhaps UserAccess might be a better alternative. One usually assumes a UserID will be a unique value)

          2. Group

           

          In the security you have a privset for Manager. Here you limit the records to allowing them to view records where the UserID&Group match the records in the other tables with the same UserID&Group values. If you create a many to many relationship between the user table and the datatable by using UserID & Group, you can just allow records which belong to that relationship.

           

          In the Datafile, the records are marked by the viewable user... but it does not appear they are also marked with a Group. I think this is essential.

           

          You can capture the values in the users records by using variables or you can apply the same relationship to every table you want to restrict. You must make the same privSet rules in all tables where you wish to restrict access.

           

          I hope this leads you to look in the right areas. (I'm tired so hopefully not confusing you)

           

          - Lyndsay

          • 3. Re: Privilege Problem: View the records by login name and group in a large database

            Privileges are used to isolate the accounts and using the popup options you can designate scripts, layouts, etc as vieweable, modifable or not.

             

            People are then given an account name and password and a selected privilege set is applied to that account. The privilege set can be changed at any time, best to have the account offline.

             

            The easiest way to design privileges are to start with everything off and then assign the privileges to the lowest rank. Assumming the privileges to be hierarchical, you would duplicate that privilege set, rename it and then add extra functions. And so on.

             

            Sometimes a privilege set is needed for specific functions and so you can create it and isolate those functions, turning off all others.

             

            Navigation now becomes an issue and you should produce layouts designed for a privilege set and that only contain buttons and fields that work with that privilege set.

             

            If you use account names and account privileges in an if/else to designate actions, be aware that changing the account name or privilege set name will make the if/else not work correctly.