Hello Everyone,

I was curious what other people have done to enforce report level security at report run time when not using MREs in browser based applications.
Our current thought is to create database tables that will associate a fex name with a set of users and query this table when a fex is run to enforce security.
We are planning to emmbed the IBI app into our owns so I know in the running fex we will have access to the user as well as the name of the fex that is being executed and I have seen examples of returning HTML forms which should allow us to handle the various scenarios.
But I am curious if there are ways I have overlooked\not thought of.

Thanks,
Manish

This message has been edited. Last edited by: Kerry,

if your entire set up is backend only (from apps, not mre), then let your entire system be accessed via a single main menu page
each item on the page is a link to an overall launch page (submenu) for a given app directory
you choose to reveal an item in the main menu based on a user's access...via a one-time lookup to that table you mentioned setting up.
that works.
Use comments, one for each app, turn them all off initially, then read the security file for the user, and set the comments open for whatever access that user has.
-SET &cmt_app1 = '-*';
-SET &cmt_app2 = '-*';
...etc
...then read your security table, discover that user has access only to app number 9, say,
-SET &cmt_app9 = ' ';
... now your entire menu page is commented.
&cmt_app1.EVAL ...whatever code reveals that app
&cmt_app2.EVAL
&cmt_.... you get the idea

i apparently have nothing to do at work today

This is great for showing what links are active to a user!

What about in the case when a user no longer has access to that fex but may have it bookmarked?

Or if somehow someone started to access a fex via HTTP that they should not (ie. that may not necessarily be a report but part of a report).

Also, I was wondering if MREs has the ability to “introspect” a HTML composer page and create the appropriate security constraints? What we want to know is if we have to manage a HTML page and its fex(es) as separate entities or are they treated as a unit. This would avoid situations were a user can access a html page but not the fex that is being called.

If you want to do this without the security mechanisms provided by MRE you have to build it yourself. I have worked with 2 clients, one a utility the other a university, who did this by creating a table to record what reports a user had access to. Based on the user id only the reports that a user had access to would display on a report listing. All reports also were secured internally by including a a call to determine if the user had approved access.