Screen Security

Hello Board,

I wanted to know how to define the security of some screens located in a single capsule, so that not every users can access that screen. 

For example:

I have the screen "Purchase" and the screen  "Sells" and also two users: "Purchase users" and "Sells users".

I want that  the Purchase users can only access the Purchase's screen and that the Sells users can only access the Sells' screen. Is there a way to do it?

Regards,

Francesco

Answers

  • Andrea Florio
    Andrea Florio Active Partner
    Third Anniversary 10 Comments 5 Up Votes 5 Likes

    hi Jonathan Baetens and Francesco Defacendis,

    i don't understand how Board can recognise entity User like the real user and entity screen like the real screen.

    Thank you

    Andrea

  • Unknown
    Unknown Active Partner

    Hi Andrea,

     

    You can use the approach as explained in Use of @user / @username to segregate data 
    The same could be done with a cube comparing screen name with "@screen" (if(Entity(screen)=@screen;1;0) in combination with a "select entity based on cube" or you would just hard code the selection on entity Screen for each screen.

     

    All the best,
    Jonathan

     


     

  • Dietmar Jeschkeit
    Dietmar Jeschkeit Active Partner
    Fourth Anniversary 100 Comments 25 Up Votes 25 Likes

    Hi Francesco,

     

    Maybe you also have a look at this Capsule User profile

     

    best regards

    Dietmar

  • Hi Jonathan, sorry to bother you again but I wanted to know how to create the cube "screen,users"  because i think i'm not doing it in the right way, and also where do I put the two condition (ex. if(Entity(Screen)=@Screen;1;0)  ) in the database security and how.

    Thanks a lot,

    Francesco

  • Unknown
    Unknown Active Partner
    edited March 2020

    Hi Francesco,


    In my suggestion, I am not using the database security in System->Security for the screens. I am managing the screen security immediately inside the capsule itself. 

     

    This is an example of a potential procedure. Note that this example only works if you have already selected 1 single user in entity users (I again refer toUse of @user / @username to segregate data on how to do that):

    image
    Here is the dataflow I was talking about (step 3 in my procedure). This will only work in case your entity "screens" has the exact names of the screens you have created inside your capsule:

    image

    The User dimension you will need to create immediately inside your db->entities, (or you import them):
    image

     

    The Screen dimension you will also need to create immediately inside your db->entities. Here it is very important that the names are exactly the same as the names you define when creating your screen. If you ever change the screen name, this entity needs to be updated as well (but at least thanks to the @Screen approach in your procedures, you won't have to update your procedures).
    image

     

    I hope this clarifies your question.

     

    All the best,
    Jonathan

  • Andrea Florio
    Andrea Florio Active Partner
    Third Anniversary 10 Comments 5 Up Votes 5 Likes

    HI Jonathan Baetens, in step 3 of the data flow  my cube is not been filled. My cube has two dimensions: screen and users. 

    I tried to fill the cube with data entry, disabiliting step 3 on the procedure and however the procedure failed. 

    I think the procedure is completly like yours.

    Regards

    Andrea

  • Unknown
    Unknown Active Partner
    edited March 2020

    Hi Andrea,


    Maybe two points of attention:

    • Make sure that you are looking at the correct data in your datablock b (in my example I need to compare my screen name (@Screen) with the description of my entity Screen)image
    • Don't use high-performance mode. I have encountered in the past problems with substitution formulas like "@screen" and "@user" using high-performance mode in dataflows. So I disable that by default.
      image

     

    Let me know if this helps.

    All the best,
    Jonathan

  • Andrea Florio
    Andrea Florio Active Partner
    Third Anniversary 10 Comments 5 Up Votes 5 Likes

    Hi Jonathan Baetens

    i have same problems

    Regards

  • Unknown
    Unknown Active Partner

    Hi Andrea,

     

    I am not sure what to say at this point.  You are running the procedure triggered from a label and with one single user selected? Which BOARD version are you using? I am sure it's a minor thing.

     

    If nothing helps, can you replicate it in a small test capsule/db without proprietary data?
    You can send it to jbaetens@toolsgroup.com and I can have a quick look.

     

    Cheers,
    Jonathan

  • Graeme Whorrall
    Graeme Whorrall Active Partner
    Fourth Anniversary 10 Comments Board Developer Level 200: Building A Planning Solution in Board
    edited March 2020

    Hi Francesco,

     

       Have done something similar at a client and think this way works a little better without need for procedure to run to decide access.

     

    Is still a matrix I did it on user group but could be done per user and then just two labels one which has a layout on it to decide if it is visible and allows users to navigate through it.

     

    Create a User Group and then create a cube per screen (could use entity for screen names but chose not to in my case)

     

     image

    In this case I will have groups in the database and use the simple select rathe then @user = User this makes security easier as you define by group, but you could also do it by user.

    Then in the layout for the navigation in Board I created two labels as below the first gives access and appears only if the value is not 0.

     imageimage

     

     

    The P&L trend sits on top of the P&L Trend (Access denied).

     

    Now in the P&L Trend we have the following Layout:-

     image

     

     image

    image

    image

    image

    As above you can see the layout is selected to the access restriction I want to apply the user will be tied to group by the group they are in.

     

    The label is only visible if the amount is not 0 and thus if it is not ticked for access the user will see “P&L Trend (Access Denied)” and I used the show value on the label rather then typing it into the label and on the label for access just added the go to screen:-

     image

     

    This is better in my opinion as users can see straight away where they cannot go and also clicking it doesn’t require a Procedure run if they have access denied they do not even have the ability to click it just appears as label.

     

    I deliberately wanted to show the access denied as I wanted the users too know the report existed but they are not allowed access to it.

     

    regards

     

    Graeme Whorrall

  • Thanks a lot, I will try this and I let you know if it works

  • Unknown
    Unknown Active Partner

    Hi Graeme,

     

    This is a great approach as well and indeed doesn't require procedures which is always better to avoid.
    However, visibility labels cannot be used in Masks, so that's why we don't use it.

    Note that I recently figured out that the Procedure action -> "Exit Screen" doesn't work in the webclient (at least not till up to 10.3). Therefore the procedure I highlighted will not work. You will need instead to specify the screen you are pointing in the procedure instead of the use of the dataflow step with @screen before performing the "If then Else".

     

    But yes, if you want to drive your navigation from the home page (and therefore don't need to store your procedures in a mask), your approach is definitely superior!

    Thanks for sharing!

    Cheers,
    Jonathan

  • Graeme Whorrall
    Graeme Whorrall Active Partner
    Fourth Anniversary 10 Comments Board Developer Level 200: Building A Planning Solution in Board

    Thanks Jonathan,

     

    don't tend to use mask for navigation much so always add the labels to the screen, but good to know not to use this on the mask in the future will be very useful.

     

    Regards

     

    Graeme