nexgen

Layout privilege restriction and accessing it via script

10 posts in this topic

I don't want certain layouts to be seen by certain users. However, some of the fields needs to be modified in those layouts by certain scripts.

I tried but those users who don't have access to certain layouts (restricted from manage > security) can't trigger the scripts which access the fields from those layouts.

Hence, I have given access to those layouts but have hidden them from layout menu. This still don't solve my problem since I am always worried that due to some mistake the user will have access to those layouts which they shouldn't see.

Isn't there anyway to run the scripts and access the fields from those restricted layout while at the same time they are restricted using the security?

 

Share this post


Link to post
Share on other sites

Hi nexgen

By restricting access to layouts in Manage -> Security, it shouldn't affect your scripts' ability to modify the records in the associated table, unless of course you have also restricted access to the records.

You say they can't 'trigger' the scripts. How are they triggering them? If it is from a button on the restricted layout then of course they can't trigger them, but I assume that is not the case?

Also, you cannot copy/paste onto a layout to which they have no access, just in case you are doing that. 'Set Field' should work, so long as you are on a layout based on the correct table to which they do have access.

Your script should go to a layout to which they do have access based on the correct table, makes the changes to the fields, and then switch back to the original layout (to which they do have access). That should work. Make sure you have set 'Allow User Abort' to 'Off' so they cannot interrupt the script and get access to data you don't want them to see.

Maybe post an example FileMaker file and we can see what the issue is if you can't resolve it?

Share this post


Link to post
Share on other sites

The answer you got on community.filemaker.com was to use 'grant full access' to the script.  I don't think that is always a good idea (it's a sledgehammer approach to security).

Your scripts can use their own layouts where you can set fine-grained rights to, they don't have to re-use the user layouts.

Share this post


Link to post
Share on other sites
3 hours ago, rwoods said:

Hi nexgen

By restricting access to layouts in Manage -> Security, it shouldn't affect your scripts' ability to modify the records in the associated table, unless of course you have also restricted access to the records.

You say they can't 'trigger' the scripts. How are they triggering them? If it is from a button on the restricted layout then of course they can't trigger them, but I assume that is not the case?

Also, you cannot copy/paste onto a layout to which they have no access, just in case you are doing that. 'Set Field' should work, so long as you are on a layout based on the correct table to which they do have access.

Your script should go to a layout to which they do have access based on the correct table, makes the changes to the fields, and then switch back to the original layout (to which they do have access). That should work. Make sure you have set 'Allow User Abort' to 'Off' so they cannot interrupt the script and get access to data you don't want them to see.

Maybe post an example FileMaker file and we can see what the issue is if you can't resolve it?

I have given access to all records in all tables. 

The script trigger are on the layout they have access to but for performing some of it's action it needs to goto restricted layout.

For example:

Go to layout: "Restricted Layout"

Request new record

etc...

Quote

Your script should go to a layout to which they do have access based on the correct table, makes the changes to the fields, and then switch back to the original layout (to which they do have access). 

That's exactly what I am trying to do. They have access to all records/tables but going to restricted layout won't work via script.

2 hours ago, Wim Decorte said:

The answer you got on community.filemaker.com was to use 'grant full access' to the script.  I don't think that is always a good idea (it's a sledgehammer approach to security).

Your scripts can use their own layouts where you can set fine-grained rights to, they don't have to re-use the user layouts.

Good suggestion. However, I think it will cause lots of clutter with lots of multiple layouts. I'll have to think about it.

Share this post


Link to post
Share on other sites
14 minutes ago, nexgen said:

They have access to all records/tables

1 hour ago, nexgen said:

but for performing some of it's action it needs to goto restricted layout.

If they have access to the field you want to modify, then it doesn't matter which layouts they have access to. You can perform any action from another layout of the same table (or even a layout of a related table), a layout which they can access. That layout could be empty. This is also what rwoods suggested earlier - I am not sure you understood his point.

The other question is why do you need to restrict their access to some layouts, while giving them unlimited access to the data. That seems strange and could indicate your overall strategy here is wrong.

 

 

 

Share this post


Link to post
Share on other sites
20 hours ago, nexgen said:

Good suggestion. However, I think it will cause lots of clutter with lots of multiple layouts. I'll have to think about it.

 

Nothing wrong with multiple layouts so don't artificially limit yourself here.  You need the layouts you need.  Nothing more but also nothing less.  And the layouts you use for scripting can just be blank layouts so there is virtually no maintenance on them.

 

18 hours ago, comment said:

The other question is why do you need to restrict their access to some layouts, while giving them unlimited access to the data. That seems strange and could indicate your overall strategy here is wrong.

 

Absolutely agree.  Security should be implemented at the data level first.

1 person likes this

Share this post


Link to post
Share on other sites

Please carefully note the advise you have been given about the distinction between the User Interface (layouts) and the data themselves.  The script can access the data if starting from the right context as defined on the Graph.  I agree with Wim's comment about Run script with full access privileges.  Use that step with caution.

Steven

Share this post


Link to post
Share on other sites

Even if I give full access to records, if I don't show them in layouts then is there anyway the user will have access to those data?

I have full access to records for design simplicity. I know its bad practice but it comes with the easiness in design.

Share this post


Link to post
Share on other sites
6 minutes ago, nexgen said:

Even if I give full access to records, if I don't show them in layouts then is there anyway the user will have access to those data?

 You want to give full access to the records but not give full access at the same time?  There seems to be a contradiction in your question?

Don't rely on the UI to enforce your security, it really is as simple as that.

Share this post


Link to post
Share on other sites
1 hour ago, nexgen said:

Even if I give full access to records, if I don't show them in layouts then is there anyway the user will have access to those data?

The answer is yes.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now