9 Replies Latest reply on Aug 16, 2014 4:36 PM by raycon

    Privilege Sets

    raycon

      Hi All,

       

      Does anyone know how to set privilege sets by expression? And if not, why not? Is it some sort of security issue?

       

      And why can't you "Get" account data for a specific account, and "Get" a list of privilege sets for a given file, and a list of the accounts using each privilege set?

       

      I can't see why it would be an issue?

       

      Ray

        • 1. Re: Privilege Sets
          Mike_Mitchell

          "Does anyone know how to set privilege sets by expression?  And if not, why not?  Is it some sort of security issue?"

           

          Not exactly sure what you're asking here. Are you asking, "How do I create a new privilege set via a script or calculation"? Or are you asking, "How do I set an account to use a given privilege set via a script or calculation"?

           

          If it's the latter, you can use the Add Account script step to assign a privilege set (which must be pre-existing) to an account (which, obviously, must first be deleted if it already exists). If it's the former, well, you can't.  

           

          Yes, it's a security issue. By opening up the security schema to scripting, it creates an opening for the scripting engine to be used as a hacking attack against the privilege sets. Same thing for your question about using a (hypothetical) Get function to extract the privilege sets and what accounts are associated with them. Would you really want a hacker to have that kind of information about your application?

           

          HTH

           

          Mike

          1 of 1 people found this helpful
          • 2. Re: Privilege Sets
            raycon

            I was really asking all of the above.

             

            Create them by script, set accounts to use them by calculation, and "get" the names to prevent breaking it if someone changes the name of a privilege set.

             

            I don't know enough about the weaknesses of FM to know how a hacker would get to that information.  Perhaps I should so I can be certain I'm doing all I can to limit potential damage.  I thought limiting access to only what people need to see and being careful with passwords was enough but I guess if they can get into the Pentagon they can get into anywhere?  They have to have one user account surely?

             

            Are there any papers on the subject Mike?

            • 3. Re: Privilege Sets
              Mike_Mitchell

              Here's a best practices security guide. Might be helpful.

               

              https://fmdev.filemaker.com/docs/DOC-3721

              • 4. Re: Privilege Sets
                raycon

                Thanks Mike

                 

                Regards,

                 

                Ray Constantine

                Treasurer

                Fremantle Volunteer Sea Rescue Group

                 

                e: treasurer@searescue.com.au

                w: www.searescue.com.au

                fb: facebook.com/fremantlesearescue

                • 5. Re: Privilege Sets
                  darrenburgess

                  Ray,

                   

                  FWIW, I created an open source accounts module that handles account management with multiple functions such as:

                  • create account
                  • delete account
                  • reset password
                  • change privilege set
                  • enable/disable account

                   

                  As you might suspect this module is exponentially more complicated to write and integrate because we cannot abstract the privilege set.

                   

                  That said, it is quite robust and carries quite a bit of error trapping and configuration options.  Version 2.0 is complete except for documentation changes.  Version 1.3 available here:

                   

                  http://www.modularfilemaker.org/module/accounts-modular-user-account-management/

                   

                  Darren Burgess

                  www.MightyData.com

                  • 6. Re: Privilege Sets
                    raycon

                    Great stuff thanks very much Darren. 

                     

                    I had written a vaguely similar system into my solution but it’s nowhere near as comprehensive and robust. 

                     

                    The key differences with my approach are minor, i.e. that the account name is generated automatically as a new account holder is added (easily integrated in yours) and I use the account name as the default password name rather than “password”.

                     

                    I look forward to seeing v2.0, even without docs????

                     

                    Regards,

                     

                    Ray Constantine

                    Treasurer

                    Fremantle Volunteer Sea Rescue Group

                     

                    e: treasurer@searescue.com.au

                    w: www.searescue.com.au

                    fb: facebook.com/fremantlesearescue

                    • 7. Re: Privilege Sets
                      darrenburgess

                      Ray, 

                       

                      Send me your private email and I will send you 2.0

                       

                      I just integrated into a production solution.  Worked great.  Install steps are basically the same.

                       

                      Tips:

                       

                      order of operations on install are important

                      integrate with the files off server so that when you add the scripts you can look at the import log easily and see any import errors.

                      the only scripts you need to change are in the public folders

                       

                      Would be really awesome to have a beta victim, er I mean tester.  As far as modules go, this one is pretty tricky to integrate.

                       

                      Let me know if you need help.

                       

                      Darren

                      darrentburgess@gmail.com

                      • 8. Re: Privilege Sets
                        raycon

                        Hi Darren,

                         

                        This is me.  Looking forward to it!!

                         

                        Regards,

                         

                        Ray Constantine

                        Treasurer

                        Fremantle Volunteer Sea Rescue Group

                         

                        e: treasurer@searescue.com.au

                        w: www.searescue.com.au

                        fb: facebook.com/fremantlesearescue

                        • 9. Re: Privilege Sets
                          raycon

                          Or,           ray_constantine@yahoo.com.au

                           

                           

                           

                          Hi Darren,

                           

                          This is me.  Looking forward to it!!

                           

                          Regards,

                           

                          Ray Constantine

                          Treasurer

                          Fremantle Volunteer Sea Rescue Group

                           

                          e: treasurer@searescue.com.au

                          w: www.searescue.com.au

                          fb: facebook.com/fremantlesearescue