Jump to content

How to Create Separate Serial IDs for Records in Multi-User DB?


This topic is 3192 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Hello FileMaker Community!

I hope this is the right forum to ask this...

I have an old FileMaker DB that allowed doctors to create new charges.  Each charge had a unique ChargeID which was simply an auto-entered serial number.  Now I need to adapt this DB so that multiple users can log in.  I have set up security within the privilege set so that the charge record owner can only view their own charges, however, I'm not sure how to approach the Charge IDs.  Ideally, the charge ideas would be consecutive and easily "grouped" for summary purposes.  For example: Dr. A might have Charge ID numbers DrA1, DrA2..., DrA100, etc.  Dr. B might have charges with IDs: DrB1, DrB2..., DrB100, etc.  I then need to be able to provide summaries for Dr. A's charges  and Dr. B's charges separately.  Finally, I would need to export each set of charges without affecting the other set of charges.

My first thought was to create a field for the Charge IDs in the "Users" table in order to have a place to keep track of each user's ChargeID serial count.  Am I on the right track here?  I don't know why, but it feels "awkward" to me to be keeping track of serialized IDs this way.  How would I then use summary fields to get information like Max or Min ChargeID numbers, and charge counts per user?

Thanks in advance for your help!

Link to comment
Share on other sites

The best solution, IMHO, would be to keep Charge ID as auto-entered serial number. Maintaining separate series of consecutive IDs is difficult to implement reliably. OTOH, there is nothing that would prevent you from reporting on each user's set of records individually, as long as there is a field that identifies the owner of the record (typically, by auto-entering the creation account name).

Edited by comment
Link to comment
Share on other sites

Thanks for the insight!  I see what you mean about keeping the auto-entered serial ID and using the record owner field for some of the summary info.  I must have been making it harder than it needed to be.  

Link to comment
Share on other sites

Thanks for the input Steven!  I watched you Security videos on VTC and they were very helpful!  That said, can you explain what you mean by "your Record Level Access process will be compromised"?  Moreover, how do I protect the ID from external manipulation?  Is it not enough to limit the view of the records to the Record Owner?  Thanks!

Link to comment
Share on other sites

It's the test to view that record that must also be protected.

 

For example, if the user's name is Sarah and Sarah's records are tagged with her name, then you must protect that element.  An attacker might be able to change that tag to something else and then be able to see the record and deny Sarah the right to see it.  Or to edit it, or to delete it.  Or whatever the designated action is.

 

Steven

Link to comment
Share on other sites

Ah, got it.  Thanks!  So far so good I think: the field/element that dictates the "ownership" comes in as <no access> if a different user/attacker hits that record, so if I understand you correctly I should be good because the "attacker" is not able to manipulate the data in that field and thus can't get access to the record!

Thanks again for your help and sharing your knowledge with the FileMaker community!

Link to comment
Share on other sites

For example, if the user's name is Sarah and Sarah's records are tagged with her name, then you must protect that element. 

I am not sure I understand fully what you're saying here. What exactly does "protect that element" entail in this case? If the record viewing privileges in the table are limited to when =

Get ( AccountName ) = CreatedBy

is there a need to further restrict access to the CreatedBy field? The only one that can modify this field (same as any other field in the record) is the user that created the record. You might argue they should not be able to modify it either - but that's not given from the situation. For example, Sarah (or her boss) may wish to transfer the ownership of a certain record to another colleague.

Link to comment
Share on other sites

This topic is 3192 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.