5 Replies Latest reply on Mar 28, 2013 5:25 AM by taylorsharpe

    RBAC System in FileMaker?

    alecgregory

      Hi all,

       

      I need to create RBAC functionality in a FileMaker solution. That is,

      • A table to store authorisation items which can be either (in increasing order of granularity, operations, task or roles).
      • Authorisation items assigned to users in a users table. The users table mirrors most of the users in the File itself (Full Access accounts).
      • Authorisation items can inherit other authorisation items at the same level or below. For example:
        • Operations can be parents of other operations but not tasks or roles.
        • Tasks can be the parents of operations or other tasks but not roles.
        • Roles can be the parents of operations, tasks or other roles.
      • An authorisation item can have multiple parents and multiple children

       

      I've implemented RBAC in PHP MVC frameworks such as Yii, and I have some ideas about how to do it in FileMaker, but before embarking on this I wanted to see if anyone had done this sort of thing before and could offer me some pointers.

       

      Obviously, setting up the tables and managing the relationships is fairly straightforward, it's the implementation of the rules that is the interesting part. My current thinking is that for this to work well, users would need to declare their actions more explicitly that they usually do in Filemaker applications. For example, they would need to press an edit button in order to access a data-entry layout. That button would then run a parameterised script which would compare a user's access level in the RBAC tables with the level of access required by the operation.

       

      Any thoughts / ideas / plugins / sample files much appreciated.

        • 1. Re: RBAC System in FileMaker?
          wimdecorte

          Any particular reason you don't want to use the native security system with privilege sets and extended privileges?

          • 2. Re: RBAC System in FileMaker?
            alecgregory

            Many thanks for the reply. It's the FileMaker access model itself that is the problem and also the difficulty in managing the access model using an account with a privilege set below [Full Access]. To elaborate:

            1. It needs to be possible for users without full access (e.g. a power user) to manage access in a safe way with a user-friendly interface
              • Allowing a power user to access extended privileges is not safe, as users can delete extended privileges and turn off key ones for users with access above their own.
              • Even if you build an interface which utilises the regular account management options (with the ability to create accounts and reset passwords), this doesn't allow you to change a user to a different privilege set, you need to delete and recreate the user's account to change their privilege set
            2. It's limiting having only a single privilege set per user. If you want to add just a single extra permission to a user, but not to other users in that privilege set, you need to create a whole new privilege set.
            3. RBAC is a great system for customising access while keeping control of the granularity of that access.
            • 3. Re: RBAC System in FileMaker?
              LyndsayHowarth

              The additional 'granularity' you require is generally something we all build into our FM solutions.

              Users would have a base-privilege set then further 'preference' settings inside a FM table would control the rest.

              I know lots of solutions with this kind of control of access by the higher level users.

               

              - Lyndsay

              • 4. Re: RBAC System in FileMaker?
                alecgregory

                Thanks Lyndsay, I suspected as much. I was just wondering if there were any design patterns for controlling access. I've gone ahead and set up the RBAC tables and am now trying out a few alternatives. If I come up with anything interesting I'll share.

                • 5. Re: RBAC System in FileMaker?
                  taylorsharpe

                  I avoid doing user security at the FileMaker level and only have FileMaker Manage Privilege Groups which are assigned by Active Directory.  Authentication through Active Directory (or Open Directory) is pretty much the norm for enterprise systems.  This also makes single sign on and other such common enterprise services work sealessly. 

                   

                  Before going forward, make sure you understand the FileMaker Security Guide.  You can find it online at http://www.filemaker.com/downloads/documentation/fm12_security_guide_en.pdf