3 Replies Latest reply: Aug 27, 2012 8:41 PM by Michael Solomovich RSS

    Section Access and multiple Section Application

      Section access in hidden script.

       

      SECTION Access;

      LOAD * INLINE [

                ACCESS,NTNAME,NTDOMAINSID,ROLE

                ADMIN,JERSON,xxxxxxxxxxxxxxx,MANAGER

                USER,PETER,xxxxxxxxxxxxxxx,SALES

      ];

       

      SECTION Application;

      STAR is *;

      LOAD * INLINE [ROLE, AREA

          MANAGER, *

          SALES, SOURTH

      ];

       

      User level in document setting have right to edit script.

      So they can load data from source in main script like:

       

      LOAD * INLINE [

                AREA, PROFIT

                NORTH, 1234566

                SOURTH, 3453223

                EAST,  9876543

      ];

       

      It will let PETER only can see data from SOURTH AREA.

       

      Recently we found that user can insert another "SECTION Application" to change original setup for section access.

      For example, user changes the code to:

       

      SECTION Application;

      STAR is *;

      LOAD * INLINE [ROLE, AREA

          SALES, *

      ];

       

      LOAD * INLINE [

        AREA, PROFIT

        NORTH, 1234566

        SOURTH, 3453223

        EAST,  9876543

      ];

       

      These code will let PETER to get access to all AREA data

      Is there any way to stop multiple Section Application in the script ?

        • Re: Section Access and multiple Section Application
          Michael Solomovich

          Jerson,

           

          I'm not sure that you've identified the problem correctly. I don't expect that adding aonther "section application" will make any difference at all.

          But - keep in mind that section access security is applied on open.  If a user can reload - all the data is loaded, regardless section access.  And, I assume, if you allow users to edit script, you allow to reload as well.  Otherwise script canges don't have any effect.

           

          The bottom line - you cannot allow user reload if you use section access for the data reduction.

           

          Regards,

          Michael

            • Re: Section Access and multiple Section Application

              Michael

               

              Sorry for my bad English.

              Let me explain this question in another way.

               

              Our customers define two kinds of user when developing a qvw application.

              • Admin User:  have all right. Normally admin only define section access and who can see what data.
              • Design User: can edit main script only. Design users will load data and design layout of qvw application.

               

              In my original post, Admin User defined that Peter can only see data in SOURTH.

              But if Design User add another section application code I marked as pink in my post, they will let Peter to see all data .

               

              My question is when Design User write another section application in main script.

              They can overwrite the original section application in hidden script.

              Is there any method to stop this situation?

              Or should tell our customer to change their flow process on developing qvw applications?

                • Re: Section Access and multiple Section Application
                  Michael Solomovich

                  Jerson,

                   

                  From your additional explanation, looks like i did not misunderstand you.  The major points are:

                   

                  1. First statement "Section Application" declares the end of the "section  Access".  The second statement "Section Application" doesn't change anything.  It certainly does not replace any data between the first and the second statements "Section Application".  If your remove statement "Section Application" from the pink part, nothing is going to change - both users still have access to all data.

                   

                  2. In your example, the "correct" part gives access to all data for user JERSON, and the pink part gives access to all data to user PETER, so both users have full access.

                   

                  3. If you give user access to the script, you cannot prevent changes like this.  Even more - if you allow users to relaod application, they will see the full data without getting into the script.

                   

                  4. Yes, you have change the process.  Typically, users do not have access to the script, and if you use security, do not allow users to reload.  The best practice is to keep QV document on server, relaod it automatically, and allow users only to view it.  Changing front end objects is OK, in most cases it doesn't change security.

                   

                  Regards,

                  Michael

                  PS: For most participants here, including myself, English is not the first languauge.