Jump to content
View in the app

A better way to browse. Learn more.
FMForums.com

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Layout privilege restriction and accessing it via script

nexgen
in Security Concepts

Featured Replies

I don't want certain layouts to be seen by certain users. However, some of the fields needs to be modified in those layouts by certain scripts.

I tried but those users who don't have access to certain layouts (restricted from manage > security) can't trigger the scripts which access the fields from those layouts.

Hence, I have given access to those layouts but have hidden them from layout menu. This still don't solve my problem since I am always worried that due to some mistake the user will have access to those layouts which they shouldn't see.

Isn't there anyway to run the scripts and access the fields from those restricted layout while at the same time they are restricted using the security?

 

Hi nexgen

By restricting access to layouts in Manage -> Security, it shouldn't affect your scripts' ability to modify the records in the associated table, unless of course you have also restricted access to the records.

You say they can't 'trigger' the scripts. How are they triggering them? If it is from a button on the restricted layout then of course they can't trigger them, but I assume that is not the case?

Also, you cannot copy/paste onto a layout to which they have no access, just in case you are doing that. 'Set Field' should work, so long as you are on a layout based on the correct table to which they do have access.

Your script should go to a layout to which they do have access based on the correct table, makes the changes to the fields, and then switch back to the original layout (to which they do have access). That should work. Make sure you have set 'Allow User Abort' to 'Off' so they cannot interrupt the script and get access to data you don't want them to see.

Maybe post an example FileMaker file and we can see what the issue is if you can't resolve it?

The answer you got on community.filemaker.com was to use 'grant full access' to the script.  I don't think that is always a good idea (it's a sledgehammer approach to security).

Your scripts can use their own layouts where you can set fine-grained rights to, they don't have to re-use the user layouts.

  • Author
3 hours ago, rwoods said:

Hi nexgen

By restricting access to layouts in Manage -> Security, it shouldn't affect your scripts' ability to modify the records in the associated table, unless of course you have also restricted access to the records.

You say they can't 'trigger' the scripts. How are they triggering them? If it is from a button on the restricted layout then of course they can't trigger them, but I assume that is not the case?

Also, you cannot copy/paste onto a layout to which they have no access, just in case you are doing that. 'Set Field' should work, so long as you are on a layout based on the correct table to which they do have access.

Your script should go to a layout to which they do have access based on the correct table, makes the changes to the fields, and then switch back to the original layout (to which they do have access). That should work. Make sure you have set 'Allow User Abort' to 'Off' so they cannot interrupt the script and get access to data you don't want them to see.

Maybe post an example FileMaker file and we can see what the issue is if you can't resolve it?

I have given access to all records in all tables. 

The script trigger are on the layout they have access to but for performing some of it's action it needs to goto restricted layout.

For example:

Go to layout: "Restricted Layout"

Request new record

etc...

Quote

Your script should go to a layout to which they do have access based on the correct table, makes the changes to the fields, and then switch back to the original layout (to which they do have access). 

That's exactly what I am trying to do. They have access to all records/tables but going to restricted layout won't work via script.

2 hours ago, Wim Decorte said:

The answer you got on community.filemaker.com was to use 'grant full access' to the script.  I don't think that is always a good idea (it's a sledgehammer approach to security).

Your scripts can use their own layouts where you can set fine-grained rights to, they don't have to re-use the user layouts.

Good suggestion. However, I think it will cause lots of clutter with lots of multiple layouts. I'll have to think about it.

14 minutes ago, nexgen said:

They have access to all records/tables

1 hour ago, nexgen said:

but for performing some of it's action it needs to goto restricted layout.

If they have access to the field you want to modify, then it doesn't matter which layouts they have access to. You can perform any action from another layout of the same table (or even a layout of a related table), a layout which they can access. That layout could be empty. This is also what rwoods suggested earlier - I am not sure you understood his point.

The other question is why do you need to restrict their access to some layouts, while giving them unlimited access to the data. That seems strange and could indicate your overall strategy here is wrong.

 

 

 

20 hours ago, nexgen said:

Good suggestion. However, I think it will cause lots of clutter with lots of multiple layouts. I'll have to think about it.

 

Nothing wrong with multiple layouts so don't artificially limit yourself here.  You need the layouts you need.  Nothing more but also nothing less.  And the layouts you use for scripting can just be blank layouts so there is virtually no maintenance on them.

 

18 hours ago, comment said:

The other question is why do you need to restrict their access to some layouts, while giving them unlimited access to the data. That seems strange and could indicate your overall strategy here is wrong.

 

Absolutely agree.  Security should be implemented at the data level first.

    • Like 1

    Please carefully note the advise you have been given about the distinction between the User Interface (layouts) and the data themselves.  The script can access the data if starting from the right context as defined on the Graph.  I agree with Wim's comment about Run script with full access privileges.  Use that step with caution.

    Steven

    • Author

    Even if I give full access to records, if I don't show them in layouts then is there anyway the user will have access to those data?

    I have full access to records for design simplicity. I know its bad practice but it comes with the easiness in design.

    6 minutes ago, nexgen said:

    Even if I give full access to records, if I don't show them in layouts then is there anyway the user will have access to those data?

     You want to give full access to the records but not give full access at the same time?  There seems to be a contradiction in your question?

    Don't rely on the UI to enforce your security, it really is as simple as that.

    1 hour ago, nexgen said:

    Even if I give full access to records, if I don't show them in layouts then is there anyway the user will have access to those data?

    The answer is yes.

    Create an account or sign in to comment

    https://fmforums.com/topic/101089-layout-privilege-restriction-and-accessing-it-via-script/
    Go to topic listing

    Important Information

    By using this site, you agree to our Terms of Use.

    I accept

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.