Screen Security

Previous Member

Hello Board,

I wanted to know how to define the security of some screens located in a single capsule, so that not every users can access that screen. 

For example:

I have the screen "Purchase" and the screen  "Sells" and also two users: "Purchase users" and "Sells users".

I want that  the Purchase users can only access the Purchase's screen and that the Sells users can only access the Sells' screen. Is there a way to do it?

Regards,

Francesco

Unknown

Hi Francesco,

 

You can easily achieve your goal by using a matrix cube with as dimensions: "users,screen" where a value=1 provides access to screens and a value=0 forbids access.
Then when a user would click on a label to go to a screen, you can put an "if then" procedure behind it, checking the value of the matrix cube, providing access only when value of the matrix cube > 0.1.

 

You can even play with the visibility of the "go to" labels using the visibility properties: buttons_labels_enhancements.

 

Note that to make this approach waterproof, you need to disable the screen list (go to capsule -> capsule properties -> hide screenlist), and allow the navigation between screens only by using buttons/labels.

 

Here is an example of the setup (in particular the Access cube):

 

All the best,
Jonathan

Andrea Florio

hi Jonathan Baetens and Francesco Defacendis,

i don't understand how Board can recognise entity User like the real user and entity screen like the real screen.

Thank you

Andrea

Unknown

Hi Andrea,

 

You can use the approach as explained in Use of @user / @username to segregate data 
The same could be done with a cube comparing screen name with "@screen" (if(Entity(screen)=@screen;1;0) in combination with a "select entity based on cube" or you would just hard code the selection on entity Screen for each screen.

 

All the best,
Jonathan

 

 

Dietmar Jeschkeit

Hi Francesco,

 

Maybe you also have a look at this Capsule User profile. 

 

best regards

Dietmar

Previous Member

Hi Jonathan, sorry to bother you again but I wanted to know how to create the cube "screen,users"  because i think i'm not doing it in the right way, and also where do I put the two condition (ex. if(Entity(Screen)=@Screen;1;0)  ) in the database security and how.

Thanks a lot,

Francesco

Unknown

Hi Francesco,

In my suggestion, I am not using the database security in System->Security for the screens. I am managing the screen security immediately inside the capsule itself. 

 

This is an example of a potential procedure. Note that this example only works if you have already selected 1 single user in entity users (I again refer toUse of @user / @username to segregate data on how to do that):

Here is the dataflow I was talking about (step 3 in my procedure). This will only work in case your entity "screens" has the exact names of the screens you have created inside your capsule:

The User dimension you will need to create immediately inside your db->entities, (or you import them):

 

The Screen dimension you will also need to create immediately inside your db->entities. Here it is very important that the names are exactly the same as the names you define when creating your screen. If you ever change the screen name, this entity needs to be updated as well (but at least thanks to the @Screen approach in your procedures, you won't have to update your procedures).

 

I hope this clarifies your question.

 

All the best,
Jonathan

Andrea Florio

HI Jonathan Baetens, in step 3 of the data flow  my cube is not been filled. My cube has two dimensions: screen and users. 

I tried to fill the cube with data entry, disabiliting step 3 on the procedure and however the procedure failed. 

I think the procedure is completly like yours.

Regards

Andrea

Unknown

Hi Andrea,

Maybe two points of attention:

• Make sure that you are looking at the correct data in your datablock b (in my example I need to compare my screen name (@Screen) with the description of my entity Screen)
• Don't use high-performance mode. I have encountered in the past problems with substitution formulas like "@screen" and "@user" using high-performance mode in dataflows. So I disable that by default.
  

 

Let me know if this helps.

All the best,
Jonathan

Andrea Florio

Hi Jonathan Baetens, 

i have same problems

Regards

Unknown

Hi Andrea,

 

I am not sure what to say at this point.  You are running the procedure triggered from a label and with one single user selected? Which BOARD version are you using? I am sure it's a minor thing.

 

If nothing helps, can you replicate it in a small test capsule/db without proprietary data?
You can send it to jbaetens@toolsgroup.com and I can have a quick look.

 

Cheers,
Jonathan

Graeme Whorrall

Hi Francesco,

 

   Have done something similar at a client and think this way works a little better without need for procedure to run to decide access.

 

Is still a matrix I did it on user group but could be done per user and then just two labels one which has a layout on it to decide if it is visible and allows users to navigate through it.

 

Create a User Group and then create a cube per screen (could use entity for screen names but chose not to in my case)

 

 

In this case I will have groups in the database and use the simple select rathe then @user = User this makes security easier as you define by group, but you could also do it by user.

Then in the layout for the navigation in Board I created two labels as below the first gives access and appears only if the value is not 0.

 

 

 

The P&L trend sits on top of the P&L Trend (Access denied).

 

Now in the P&L Trend we have the following Layout:-

 

 

 

As above you can see the layout is selected to the access restriction I want to apply the user will be tied to group by the group they are in.

 

The label is only visible if the amount is not 0 and thus if it is not ticked for access the user will see “P&L Trend (Access Denied)” and I used the show value on the label rather then typing it into the label and on the label for access just added the go to screen:-

 

 

This is better in my opinion as users can see straight away where they cannot go and also clicking it doesn’t require a Procedure run if they have access denied they do not even have the ability to click it just appears as label.

 

I deliberately wanted to show the access denied as I wanted the users too know the report existed but they are not allowed access to it.

 

regards

 

Graeme Whorrall

Previous Member

Thanks a lot, I will try this and I let you know if it works

Unknown

Hi Graeme,

 

This is a great approach as well and indeed doesn't require procedures which is always better to avoid.
However, visibility labels cannot be used in Masks, so that's why we don't use it.

Note that I recently figured out that the Procedure action -> "Exit Screen" doesn't work in the webclient (at least not till up to 10.3). Therefore the procedure I highlighted will not work. You will need instead to specify the screen you are pointing in the procedure instead of the use of the dataflow step with @screen before performing the "If then Else".

 

But yes, if you want to drive your navigation from the home page (and therefore don't need to store your procedures in a mask), your approach is definitely superior!

Thanks for sharing!

Cheers,
Jonathan

Graeme Whorrall

Thanks Jonathan,

 

don't tend to use mask for navigation much so always add the labels to the screen, but good to know not to use this on the mask in the future will be very useful.

 

Regards

 

Graeme