Access control
-
Hi, I'm looking for a point in the right direction with regards to access control. What I mean by AC is the ability to set a View/Add/Edit/Delete restriction on a field in a windows form. For example, lets say I have a contact screen with a Display name edit box. I only want this field editable for particular users. Does anyone have any tips on how to achieve this? My initial thought was to store an identifier of all the controls in the db and have a base form loop through through all the controls on a form. It would then apply the access rights. ie. if you only have the right to view a field, set the control to readonly. If you don't have the right to view it, set the control to invisible. This seems like a really cumbersome approach. Thanks in advance to anyone willing to provide tips and suggestions :) Ryan
-
Hi, I'm looking for a point in the right direction with regards to access control. What I mean by AC is the ability to set a View/Add/Edit/Delete restriction on a field in a windows form. For example, lets say I have a contact screen with a Display name edit box. I only want this field editable for particular users. Does anyone have any tips on how to achieve this? My initial thought was to store an identifier of all the controls in the db and have a base form loop through through all the controls on a form. It would then apply the access rights. ie. if you only have the right to view a field, set the control to readonly. If you don't have the right to view it, set the control to invisible. This seems like a really cumbersome approach. Thanks in advance to anyone willing to provide tips and suggestions :) Ryan
I'll be interested in the results of this enquiry, heres my solution. 2 apps required 1 is user manager, 2nd is the client app. User manager do store and manages the users and groups for each app (we have about 9 apps managed by this system) Each app has a set of roles (public being the default), servers (we allow the user to select a target server) and objects (forms, buttons, panels/areas etc). Objects are requested by the user and defined by the developer. Each object has and AEDX flag (add/edit/delete/execute) so a role can see the object (default) but the actions are managed. User manager generates and enum to used in the development code Each client app has a security function (using the object name) and death and mayhem to any junior dev who changes a controlled object. Security function is applied to each object, yes hard coded, the user wants to control. The business can then control the access to the object they have defined. While I have built and used this method for over 10 years on ## apps, not once have I had to implement a tightly controlled environment. At most they want to restrict access to a number of forms or possible limit the group who can edit some data. Shoulda done an article:laugh:
Never underestimate the power of human stupidity RAH
-
Hi, I'm looking for a point in the right direction with regards to access control. What I mean by AC is the ability to set a View/Add/Edit/Delete restriction on a field in a windows form. For example, lets say I have a contact screen with a Display name edit box. I only want this field editable for particular users. Does anyone have any tips on how to achieve this? My initial thought was to store an identifier of all the controls in the db and have a base form loop through through all the controls on a form. It would then apply the access rights. ie. if you only have the right to view a field, set the control to readonly. If you don't have the right to view it, set the control to invisible. This seems like a really cumbersome approach. Thanks in advance to anyone willing to provide tips and suggestions :) Ryan
-
I'll be interested in the results of this enquiry, heres my solution. 2 apps required 1 is user manager, 2nd is the client app. User manager do store and manages the users and groups for each app (we have about 9 apps managed by this system) Each app has a set of roles (public being the default), servers (we allow the user to select a target server) and objects (forms, buttons, panels/areas etc). Objects are requested by the user and defined by the developer. Each object has and AEDX flag (add/edit/delete/execute) so a role can see the object (default) but the actions are managed. User manager generates and enum to used in the development code Each client app has a security function (using the object name) and death and mayhem to any junior dev who changes a controlled object. Security function is applied to each object, yes hard coded, the user wants to control. The business can then control the access to the object they have defined. While I have built and used this method for over 10 years on ## apps, not once have I had to implement a tightly controlled environment. At most they want to restrict access to a number of forms or possible limit the group who can edit some data. Shoulda done an article:laugh:
Never underestimate the power of human stupidity RAH
-
So far have not found any "standard practice" from MS, so, was using the brute force way to loop through the controls & menu items (they are not part of form :\) and visible/enable each of them manually.
-
Thanks for your reply Mycroft. It looks like brute force seems to be the way to go. I haven't seen any other real solutions to this problem so I think you really should write that article! :)
I do prefer the enum solution, while it means you (your users) need to identify the objects to be managed you do not have to iterate all the objects on a form. The other benifit is that the users must identify the objects which also emphasises the number of object they need to manage, always a good thing to rub the users nose in the support nightmare!
Never underestimate the power of human stupidity RAH
-
I do prefer the enum solution, while it means you (your users) need to identify the objects to be managed you do not have to iterate all the objects on a form. The other benifit is that the users must identify the objects which also emphasises the number of object they need to manage, always a good thing to rub the users nose in the support nightmare!
Never underestimate the power of human stupidity RAH
I've had a thought... what if somehow, a user can put a form into design mode? The user can then for example, set the property of a control to read only. It would then save the settings as a 'template' which could then be linked to a group of users. This template can then be loaded as a form is displayed. Do you think that's feasible?
-
I've had a thought... what if somehow, a user can put a form into design mode? The user can then for example, set the property of a control to read only. It would then save the settings as a 'template' which could then be linked to a group of users. This template can then be loaded as a form is displayed. Do you think that's feasible?
I can see a number of drawback (read nightmares) Manage what a user can change on the "design mode" form seems to be the showstopper
RyanEK wrote:
what if somehow
I don't think this is feasible withiout VS installed
RyanEK wrote:
save the settings as a 'template'
I have no experience with templates in VS so cannot comment other than Huh!
RyanEK wrote:
Do you think that's feasible?
Nope - absolutely not - I would not even entertain the idea, seems to me you would be making a rod for your own back and a support nightmare.
Never underestimate the power of human stupidity RAH
-
I can see a number of drawback (read nightmares) Manage what a user can change on the "design mode" form seems to be the showstopper
RyanEK wrote:
what if somehow
I don't think this is feasible withiout VS installed
RyanEK wrote:
save the settings as a 'template'
I have no experience with templates in VS so cannot comment other than Huh!
RyanEK wrote:
Do you think that's feasible?
Nope - absolutely not - I would not even entertain the idea, seems to me you would be making a rod for your own back and a support nightmare.
Never underestimate the power of human stupidity RAH
Let me clarify what I mean, a (high level) user will have the option to launch the windows app in 'design mode' which means they have the ability to move controls, set properties etc. eg. http://www.codeproject.com/KB/miscctrl/MovableControls.aspx[^] Once designed, the layout of the form can be saved as an XML and loaded as needed. This XML will determine which controls users has access to. Again... thanks for all the help! :)
-
I've had a thought... what if somehow, a user can put a form into design mode? The user can then for example, set the property of a control to read only. It would then save the settings as a 'template' which could then be linked to a group of users. This template can then be loaded as a form is displayed. Do you think that's feasible?
It is feasible, though not in the way of putting the control into designer mode. Doing this will put the control to the user on what can or can not be access by a user group. We did one of the web application using javascript (only activated for admin logon) to bring up a dialog box to set the read/write/etc access. On desktop application, you can probably sub class the controls, use mouse right click to bring up a context menu or a dialog box to set the access.