Restricting Records by Password

[Chirriras]

Help! I'm stuck on something. I have a database for interviewers to log the status of on surveys they are conducting. Each interviewer has an ID number and a password. When I go into define password and click "Limited" for browse records, the calculation box opens.

What is it wanting? I want each interviewer to see only the interviews assigned to them, not any assigned to other interviewers. What calculation does it want from me?

Thanks.

[Vaughan]

Limiting access through passwords is much harder in FMP 6 and earlier than in FMP 7. Stronger and more flexible security features were introduced into FMP 7.

In either case, each record needs a field that contains some unique identifier for the user who created it. The calculation you require to limit record access needs to be something along the lines of "record create user ID = current user ID".

There is a bit more to it than this though: you'll need to allow for some kind of administrator access, otherwise you'll find that nobody will be able to access the records. So the calculation may need to look more like "(record create user ID = current user ID) or (current user = administrator)".

This is where FMP 6 gets tricky: you can only determine which Group a password belongs to, you cannot identify users by password or some other ID. (FMP 6 does not have userids, just passwords; whereas FMP 7 has real user-ids.) So for each user you'll need to define a password, then give them a unique group. It'll be the group name that you'll be entering in the record and using to limit access.

FMP 7 has real user IDs, so it's much more flexible, more secure and much less work to initially biuld and later maintain.

[Chirriras]

Let me try to clarify what you said. First, forget 7, I'm not using it yet. This database is also web based, and I don't know XML, I've barely struggled through CDML, so I have to use 6 for now. You've dealt with me before - so you know you have to spell everything out for me completely! Your explanation, going back and forth between 6 and 7 is confusing for my poor little brain.

I have set up a database for interviewers and another for assignments (interviews). In each database I have created a unique field for a password (same passwords used in both). I have also created a group based on each password, and now want to restrict the interviewers to seeing only their own assignments.

I create the new records and assign the interviews, and do so using an administrative password and group established only for me to use. It gives me control of everything.

For the sake of simplification, let's say I have an interviewer named John Doe. John's password is jd9999, and the group assigned to him is JD. I have given him rights to browse, edit, print and export records. Now I want to restrict the records he can access to only his interviews.

In "Define Passwords" I click on the box next to "Browse" and change "All" to "Limited". Now comes that challenging little calculation box. I tried typing in Password="jd9999", but no go. I can't use (record create user ID = current user ID) because I created the record, not John. If I use (current user= "") what do I use, the password (jd9999) or his name (John Doe), or is there something else I should do instead?

[Vaughan]

Urrrgh, wished you'd mentioned you were accessing the databases through the web in your first post: tyhat changes things dramatically.

It's NOT a good idea keeping passwords in fields under any circumstances. That's putting the door key under the mat: it's no security at all. It's much safer instead to embed the userid, just make sure that each userid is unique.

You need to use FMP's built-in security features, not try to build your own; otherwise you're just painting lines on the pavement and expecting people not to cross them.

Learn how to set up and use the Web Security databases if you are using CWP. From memory you might be able to use these to restrict record access with very little work.

I also think there is an article on this on the TechInfo database, in the FMI web site.

Just to recap: set up the Web Security dbs, give each user a unique username and a password. Restrict access to guests, force all users to log-in. (If they don't authenticate, how do you know who they are.) Don't try to make your own log-in system, use the Web Security dbs it's really secure.

Each record needs to have the userid of the person who created it. There is a CDML tag that'll pull this out for you, I forget what it is at the moment. [FMP-ClientUserId] or something similar.

The trick is that from the site's main page, you force users to perform a search for all the records that match their userid.