Puzzled on user rights to access parts of the program.

[1FilemakerMan]

  I have been been trying to get this menu program to work properly for several days now.  Simply put, when you click on this area of the menu it is supposed to only let people go to see it that either have "Full Access", or belong to the "cienew_subpoena_rw" group on our network server.  I am confused on how to simply allow this to happen.  The "Full Access" area was already on here and we are just trying to add a new group, to a new part of the program, called the Subpoena area.

On our network server there is a group called "cienew_subpoena_rw".  we want them to be able to continue on into the database area.

What am I/we doing wrong??? 

And I just edited the custom dialog so I can see which area is popping up.

 

So here is the data.  Below this picture is what the button data looks like.  When a user who SHOULD NOT have access to the database gets right in there. It basically doesn't keep anyone from getting into the database.   

Please help!

 

[comment]

16 hours ago, 1FilemakerMan said:

It basically doesn't keep anyone from getting into the database.   

That's not completely accurate. 

Your first condition is true for anyone who does NOT have Full Access privileges. This group will be shown the "error1" custom dialog. After that, the script will continue unhindered to:

Show All Records
Go to Layout [ ... ]

part.

Users who DO have Full Access privileges, but do NOT belong to the "cienew_subpoena_rw" group will be shown the "error2" custom dialog. After that, the script will exit - so this is the only group that will be "denied access".

 

IMPORTANT:
I put  "denied access" in quotes, because trying to deny access by script is not truly denying anything. You need to make sure that access is denied in the users' privilege set. A script can be used for "cosmetic" purposes, but it's not truly a security measure.

 

Edited April 11, 2019 by comment

[1FilemakerMan]

^^ Thanks for your input.  We are running this on a macintosh network, and we added users on our mac server to a group called, CIENEW_Subpoena_RW, and we want those people to have obviously read and write access to the Subpoena form area. 

Basically this data goes on a button where you go to enter data, and we only want people that belong to the group CIENEW_Subpoena_RW, and administrators to have access to it.  Maybe there is a completely different better way?

Edited April 11, 2019 by 1FilemakerMan

[comment]

1 hour ago, 1FilemakerMan said:

this data goes on a button where you go to enter data

I am not sure what you mean by that. As I said, if you want to prevent some users from doing something, the right way is to deny them access in their privilege set:
https://fmhelp.filemaker.com/help/17/fmp/en/index.html#page/FMP_Help%2Fcreating-editing-privilege-sets.html%23

 

 

 

 

Edited April 11, 2019 by comment

[Fitch]

As Michael said, your script logic isn't doing what you think it should do. I'll add that it doesn't make sense to have two separate error messages -- anyone who's not either "full" or "subpoena" fails BOTH tests, so which error message should they get? You might change it to something like:
 

If[ Get ( CurrentPrivilegeSetName ) = "[Full Access]" or Get ( AccountGroupName ) = "CIENEW_Subpoena_RW"
	// authorized
Else
	Show dialog
	Exit
End If

// proceed
Etc.

 

Note that it's often easier to understand when you frame your logic as a positive (equal) rather than a negative (not equal).

I'll second what Michael pointed out about security -- if it really needs to be secure, it should be set up in the Security dialog.

Lastly: instead of, or in addition to, your script -- you might consider simply hiding your button when the user is not authorized.

[1FilemakerMan]

I ended up creating a new button all together and then just had the user rights put on that.  It is working fine now.  

 

Now I have to figure out how to copy everything from my test database, to the real database.  I need to copy, or re-write this stuff onto the actual live database.   Can I just export databases, value scripts, and tables on to the new database?  I might create a new question on this one.  Thanks again for all of you help guys!