[CLOSED] Report level security without MRE

Hello Everyone,

I was curious what other people have done to enforce report level security at report run time when not using MREs in browser based applications.
Our current thought is to create database tables that will associate a fex name with a set of users and query this table when a fex is run to enforce security.
We are planning to emmbed the IBI app into our owns so I know in the running fex we will have access to the user as well as the name of the fex that is being executed and I have seen examples of returning HTML forms which should allow us to handle the various scenarios.
But I am curious if there are ways I have overlooked\not thought of.

Thanks,
Manish

This message has been edited. Last edited by: Kerry,

WebFOCUS 7.6
Windows, All Outputs

Posts: 16 | Registered: September 12, 2012

susannah

Expert

posted

Hide Post

if your entire set up is backend only (from apps, not mre), then let your entire system be accessed via a single main menu page
each item on the page is a link to an overall launch page (submenu) for a given app directory
you choose to reveal an item in the main menu based on a user's access...via a one-time lookup to that table you mentioned setting up.
that works.
Use comments, one for each app, turn them all off initially, then read the security file for the user, and set the comments open for whatever access that user has.
-SET &cmt_app1 = '-*';
-SET &cmt_app2 = '-*';
...etc
...then read your security table, discover that user has access only to app number 9, say,
-SET &cmt_app9 = ' ';
... now your entire menu page is commented.
&cmt_app1.EVAL ...whatever code reveals that app
&cmt_app2.EVAL
&cmt_.... you get the idea

i apparently have nothing to do at work today

In Focus since 1979///7706m/5 ;wintel 2008/64;OAM security; Oracle db, ///MRE/BID

Posts: 3811 | Location: Manhattan | Registered: October 28, 2003

Ignored post by susannah posted

Show Post

manish from curaspan

Member

posted

Hide Post

This is great for showing what links are active to a user!

What about in the case when a user no longer has access to that fex but may have it bookmarked?

Or if somehow someone started to access a fex via HTTP that they should not (ie. that may not necessarily be a report but part of a report).

Also, I was wondering if MREs has the ability to “introspect” a HTML composer page and create the appropriate security constraints? What we want to know is if we have to manage a HTML page and its fex(es) as separate entities or are they treated as a unit. This would avoid situations were a user can access a html page but not the fex that is being called.

WebFOCUS 7.6
Windows, All Outputs

Posts: 16 | Registered: September 12, 2012

Ignored post by manish from curaspan posted

Show Post

Alex

Platinum Member

posted

Hide Post

If you want to do this without the security mechanisms provided by MRE you have to build it yourself. I have worked with 2 clients, one a utility the other a university, who did this by creating a table to record what reports a user had access to. Based on the user id only the reports that a user had access to would display on a report listing. All reports also were secured internally by including a a call to determine if the user had approved access.

WF 7.7.04, WF 8.0.7, Win7, Win8, Linux, UNIX, Excel, PDF

Posts: 175 | Location: Pomona, NY | Registered: August 06, 2003

Ignored post by Alex posted

Show Post

Please Wait. Your request is being processed...

Read-Only Topic

Focal Point

Focal Point Forums

WebFOCUS/FOCUS Forum on Focal Point

[CLOSED] Report level security without MRE

Focal Point | Privacy Statement | Terms of Service