Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Section access in hidden script.
SECTION Access;
LOAD * INLINE [
ACCESS,NTNAME,NTDOMAINSID,ROLE
ADMIN,JERSON,xxxxxxxxxxxxxxx,MANAGER
USER,PETER,xxxxxxxxxxxxxxx,SALES
];
SECTION Application;
STAR is *;
LOAD * INLINE [ROLE, AREA
MANAGER, *
SALES, SOURTH
];
User level in document setting have right to edit script.
So they can load data from source in main script like:
LOAD * INLINE [
AREA, PROFIT
NORTH, 1234566
SOURTH, 3453223
EAST, 9876543
];
It will let PETER only can see data from SOURTH AREA.
Recently we found that user can insert another "SECTION Application" to change original setup for section access.
For example, user changes the code to:
SECTION Application;
STAR is *;
LOAD * INLINE [ROLE, AREA
SALES, *
];
LOAD * INLINE [
AREA, PROFIT
NORTH, 1234566
SOURTH, 3453223
EAST, 9876543
];
These code will let PETER to get access to all AREA data
Is there any way to stop multiple Section Application in the script ?
Jerson,
I'm not sure that you've identified the problem correctly. I don't expect that adding aonther "section application" will make any difference at all.
But - keep in mind that section access security is applied on open. If a user can reload - all the data is loaded, regardless section access. And, I assume, if you allow users to edit script, you allow to reload as well. Otherwise script canges don't have any effect.
The bottom line - you cannot allow user reload if you use section access for the data reduction.
Regards,
Michael
Michael
Sorry for my bad English.
Let me explain this question in another way.
Our customers define two kinds of user when developing a qvw application.
In my original post, Admin User defined that Peter can only see data in SOURTH.
But if Design User add another section application code I marked as pink in my post, they will let Peter to see all data .
My question is when Design User write another section application in main script.
They can overwrite the original section application in hidden script.
Is there any method to stop this situation?
Or should tell our customer to change their flow process on developing qvw applications?
Jerson,
From your additional explanation, looks like i did not misunderstand you. The major points are:
1. First statement "Section Application" declares the end of the "section Access". The second statement "Section Application" doesn't change anything. It certainly does not replace any data between the first and the second statements "Section Application". If your remove statement "Section Application" from the pink part, nothing is going to change - both users still have access to all data.
2. In your example, the "correct" part gives access to all data for user JERSON, and the pink part gives access to all data to user PETER, so both users have full access.
3. If you give user access to the script, you cannot prevent changes like this. Even more - if you allow users to relaod application, they will see the full data without getting into the script.
4. Yes, you have change the process. Typically, users do not have access to the script, and if you use security, do not allow users to reload. The best practice is to keep QV document on server, relaod it automatically, and allow users only to view it. Changing front end objects is OK, in most cases it doesn't change security.
Regards,
Michael
PS: For most participants here, including myself, English is not the first languauge.