Focal Point
Focexec/Master Security Question

This topic can be found at:
http://forums.informationbuilders.com/eve/forums/a/tpc/f/7971057331/m/7897010476

December 22, 2014, 03:01 PM
MMcDonald
Focexec/Master Security Question
Hello,
We are locking our masters at the folder level based on subject area. For example: we may have master folders that are named Sales, Billing, Shipments and Invoicing. What we would like to do is when a user runs a Focexec; we need to determine that the user has access to all the masters in Focexec. In other words, is there a way to check user folder access for all masters at the time a Focexec is executed?
I know I can add code at the beginning of the Focexec, something like:
TABLE FILE BILLING
PRINT *
IF RECORDLIMIT EQ 1;
END
-IF &LINES EQ 0 GOTO NO_ACCESS_MESSAGE;
-RUN
TABLE FILE SHIPMENTS
PRINT *
IF RECORDLIMIT EQ 1;
END
-IF &LINES EQ 0 GOTO NO_ACCESS_MESSAGE;

This approach will take a very long time to complete since we have 4000 Focexecs. Does anyone know how to achieve this dynamically at runtime….possibly using the same –INCLUDE for all Focexec?
Thanks for your help


8.0.9, Windows
excel / pdf
December 23, 2014, 09:20 AM
Rob Bowen
You could probably query SYSTABLE to do this quickly in one step.

TABLE FILE SYSTABLE
PRINT NAME
WHERE NAME EQ 'billing' OR 'shipments'
END
-RUN
-IF &LINES NE 2 THEN GOTO NO_ACCESS_MESSAGE;


WebFOCUS 8.1.04; SQL Server 2012; Windows 7; Windows Server 2012 R2;
December 31, 2014, 03:59 PM
MMcDonald
Hi Rob
Thanks for your response.
When I run your code that just displays the focexec name ...I am looking for the folder names on the app server. I need to see if the users role has access to the folders that contain the masters that the focexec is executing against. Do you know if there is a system table for that? Thanks


8.0.9, Windows
excel / pdf
January 04, 2015, 07:18 AM
Danny-SRL
I don't quite get what you mean by "We are locking our masters at the folder level".
What are "folders"? Are they apps? are they folders with an app?


Daniel
In Focus since 1982
wf 8.202M/Win10/IIS/SSA - WrapApp Front End for WF

January 05, 2015, 09:25 AM
MMcDonald
Hi Daniel,
On the app server we currently have folders that are named by the source system. For example SQL, SAP, B, etc.. what we plan to do is change the folder names to subject area names such as " Sales, Credit, Finance etc..and but the appropriate master in each new folder. I want to be able to include code at the beginning of every focexec that checks to see if the user has access to the masters in the focexec that reside in one of the subject area app folders. For example, if a user runs a focexec that has masters in both sales and billing subject area folders, at the top of the focexec I add code that runs a table file request for the billing and sales masters with a print * for one record. If the result returns zero records for one of the masters then I know the user does not have access to that subject area folder on the app server and the focexec sends a message to the user saying contact the webfocus team for access. Some of our focexecs have masters in multiple subject areas “cross functional” and if the focexec has 15 masters and runs for 4 hours we want to make sure the user has access at the start of the focexec prior to running for hours and then failing on the one master they do not have access for. We are using active directory to validate the users access. I am trying to find the best way to authenticate the user with minimal maintenance. Does this make sense now? Thanks for your help.


8.0.9, Windows
excel / pdf
January 06, 2015, 04:41 AM
Alan B
I think this is an 'It depends' question.

As a starting point I would use _site_profile and XRETRIEVAL=OFF to run the called focexec. This would error if an MFD was not found, without retrieving any records. However if the code relies on &LINES being > 0 at any point, then this compromises this approach.


Alan.
WF 7.705/8.007
January 06, 2015, 09:14 AM
MMcDonald
Hi Alan,
so adding "SET XRETRIEVAL=OFF" at the top of each focexec will check the entie focexec prior to running to see if the master exists before running the focexec? so if the user does not have access to the subject area folder on the app server that contains a master within the focexec they are executing it shoiuld fail imediately? if this is the case, this would work for us. Thanks


8.0.9, Windows
excel / pdf
January 06, 2015, 10:25 AM
Alan B
XRETRIEVAL=OFF will run the focexec, and submit TABLE requests, but retrieve no records. Basically it allows a syntax check.


Alan.
WF 7.705/8.007
January 06, 2015, 12:10 PM
MMcDonald
Thanks Alan,
I also added this at the bottom of the focexec...seems to be exactly what we are looking for.

-IF &FOCERRNUM NE 0 THEN :ERR;
-RUN
-:ERR
-HTMLFORM BEGIN
<script>
var alertval = 'ERROR: You do not have access to a Subject Area. Please enter a HelpDesk tickect for the WebFocus Team.';
alert(alertval);

-HTMLFORM END
-RUN
-EXIT


8.0.9, Windows
excel / pdf
January 06, 2015, 02:32 PM
j.gross
quote:
Originally posted by MMcDonald:
...
This approach will take a very long time to complete since we have 4000 Focexecs. Does anyone know how to achieve this dynamically at runtime….possibly using the same –INCLUDE for all Focexec?



I think your best solution lies in creating a data source that lists all the synonyms required my each of your ~4000 focexecs.

Then a common routine to verify accessibility of the synonyms (given the focexec name) can be constructed, and a reference inserted at the top of each focexec.

If you need more help with the details, give a shout.


- Jack Gross
WF through 8.1.05
January 07, 2015, 08:20 AM
MMcDonald
Hi Jack
If you would be so kind to give me a small example I would appreciate it. Thanks


8.0.9, Windows
excel / pdf
January 07, 2015, 01:44 PM
j.gross
The called routine might look like this:
-* common/checkmfds.fex
-DEFAULTH &Fex='[unspecified]';
  TABLEF FILE common/fex_mfd_list
  PRINT
    FEX AS _FEX
    MFD AS _SYNONYM
  WHERE FEX EQ '&Fex';
  ON TABLE HOLD AS HOLDMFDLIST
  END
-RUN
-SET &n=0+&LINES;
-* check whether the fex is registered...
-IF &n EQ 0 THEN GOTO chk.ERR1;

-* check accessibility of each synonym the fex may require...
-REPEAT chk.LOOP &n TIMES ;
-READFILE HOLDMFDLIST
-? &_
CHECK FILE &_SYNONYM
-RUN
-IF &RECORDS EQ 0 THEN GOTO chk.ERR2 ;
-chk.LOOP
-* all is well
-GOTO chk.DONE

-chk.ERR1
-HTMLFORM BEGIN
<script>
alert( '[unknown program "&Fex"]' );
</script>
-HTMLFORM END
-EXIT

-chk.ERR2
-HTMLFORM BEGIN
<script>
alert( '[ data source "&_SYNONYM", required by program "&_FEX", is inaccessible]' );
</script>
-HTMLFORM END
-EXIT

-chk.DONE


NOTE: This is untested code.

The references to amper variable in the -HTMLFORM blocks may need to be recoded using !IBI notation.

After execution of CHECK FILE, &LINES and &RECORDS reflect the number of columns and segments declared in the MFD, and are set to zero if the MFD file is cannot be opened opened and successfully parsed

Note that, per your requirement, this only verifies that the MFD file is in an accessible APP folder -- not that the user can successfully access the underlying data.


The preface code to be inserted at top of the report fex files would be:
-SET &Fex='whatever';
-MRNOEDIT -INCLUDE common/checkmfds.fex

(omit "-MRNOEDIT" if the focexec file into which these lines are inserted is stored on the server)

Of course you need to define your fex_mfd_list table, and create and load it appropriately. In doing so, the MFD list for a "main" routine should cover its direct and indirect needs (i.e., synonyms it references, and any others referenced in any files it -INCLUDEs).

This message has been edited. Last edited by: j.gross,


- Jack Gross
WF through 8.1.05
January 08, 2015, 02:28 PM
MMcDonald
Thanks Jack for taking the time to share your thoughts/code. I think our team will review this as a viable option.
Thanks again
Matt


8.0.9, Windows
excel / pdf