I'm looking for a way to control access to individual fields based on some user configuration values, but without having to change privilege set.
Details: I have a database that has various stages of the lifecycle of a product (let's call them "phase1", "phase2", and "phase3" for now). In each phase there are several fields that I need to offer more security for. Let's say the special fields are as follows (this is made up to illustrate the issue):
contact cell phone
Note in particular that the "secure" fields are not of the same kind. Also, while I only show 8 "secure" fields, in reality I have more such fields, and I may at any point need to add yet more "secure" fields, and I may even add entirely new "phases" with new secure fields.
The previous developer had four privilege sets: basic (can't see any of the secure fields), phase 1 (can see the secure fields in phase 1 but not in phases 2 and 3), phase 2, and phase 3. Thus, if a user needed to access the "code word" field in phase 2, she'd re-login under the phase 2 privilege set. (This of course assumes they log in under different account names to obtain different access -- they used group accounts.)
Apart from the reliance on group accounts rather than individual accounts, it simply doesn't scale -- in our scenario, an individual user may be given permission to view ANY specific combination of secure fields; the number of privilege sets/accounts required to set this up would be prohibitive.
What I thought to do was to have a checklist in the user record where I could indicate what secure fields the user has access to...
Specify what fields user can access:
x start date
x contact cell phone
then I would control access to the corresponding field by privilege set logic such as:
PatternCount( user_list ; this_field ) > 0 (etc.)
This would have been fine IF FileMaker security allowed you to specify field-level access by calculation -- but it doesn't: it's just "no access", "view", or "modify". (The calc-based contol is at whole RECORD level...)
I can easily control access via the interface with calc logic, of course, but this leaves the data still vulnerable at the data level -- someone could easily export the records and the fields are wide open, even if I "hid" them in the interface.
So: is it possible to securely control access to individual fields in a case like this -- where any individual field may in principle be turned on or off for access (i.e., there are no natural "groups"), and I want to have users log in by their usernames and not switch privilege sets?
How do you handle such a case?