How to enforce Security in an App? 
Author Message
 How to enforce Security in an App?

Gang

Heres my problem. I have an app that you need to log in to. Your login will
be verified against an MS SQL 7.0 database. Lets then assume that there are
3 edit boxes in the main window.

EB-1
EB-2
EB-3

If you login was SCOTT, then you have r/w access to all the edit boxes.

If you login as BOB, then you have r/w access to EB-1 and ro access to EB-2
and 3.

If you login as MIKE, then you have ro access to all the edit boxes.

Have any of you guys written an app with functionality like this? I actually
have 50 or so screens and 800 or so fields that people can have ro or r/w
access to. We are using VC6.0 and MFC. I am looking for a maintainable
solution.

Any thoughts?

Bob



Mon, 24 Sep 2001 03:00:00 GMT  
 How to enforce Security in an App?
This might be one approach
One user is logged in you can have a token assigned to that user ( A token can
be just array of bits indicating possible permissions ).
Now when you are going to show a form you can examine the token and
according to rights you can enable or disable the edit boxes

I hope that is what u was asking
Mahendra
Quitters never win and winners never quit.

Quote:

> Gang

> Heres my problem. I have an app that you need to log in to. Your login will
> be verified against an MS SQL 7.0 database. Lets then assume that there are
> 3 edit boxes in the main window.

> EB-1
> EB-2
> EB-3

> If you login was SCOTT, then you have r/w access to all the edit boxes.

> If you login as BOB, then you have r/w access to EB-1 and ro access to EB-2
> and 3.

> If you login as MIKE, then you have ro access to all the edit boxes.

> Have any of you guys written an app with functionality like this? I actually
> have 50 or so screens and 800 or so fields that people can have ro or r/w
> access to. We are using VC6.0 and MFC. I am looking for a maintainable
> solution.

> Any thoughts?

> Bob



Tue, 25 Sep 2001 03:00:00 GMT  
 How to enforce Security in an App?

says...

Quote:
> Gang

> Heres my problem. I have an app that you need to log in to. Your login will
> be verified against an MS SQL 7.0 database. Lets then assume that there are
> 3 edit boxes in the main window.

> EB-1
> EB-2
> EB-3

> If you login was SCOTT, then you have r/w access to all the edit boxes.

> If you login as BOB, then you have r/w access to EB-1 and ro access to EB-2
> and 3.

> If you login as MIKE, then you have ro access to all the edit boxes.

Hmmmm..... I suspect that you could approach it in this manner. Why not create
groups. Each group would represent a specific permission, e. g. Scott in GROUP
ALL would not have permissions limited, BOB in GROUP EB1 would represent a user
with EB1 only privileges, MIKE in GROUP EB2 would represent a user with EB2
privileges. The GROUP would be an NT GROUP, sp_addgroup etc.

On start up you would check the user's GROUP affiliation and then set their
permission to the group's application action permissions, e. g. loop through
objects to enable/disable, hide/show, etc.

The downside is there could be many GROUPS, The upside you could probably create

a CLASS to implement this functionality. Some work up front but maintainable and

extensible as time progresses, no?.

HTH and regards,

-- Ty

- Show quoted text -



Tue, 25 Sep 2001 03:00:00 GMT  
 How to enforce Security in an App?
Bob -

Quote:

> Heres my problem. I have an app that you need to log in to. Your login will
> be verified against an MS SQL 7.0 database. Lets then assume that there are
> 3 edit boxes in the main window.

> EB-1
> EB-2
> EB-3

> If you login was SCOTT, then you have r/w access to all the edit boxes.

> If you login as BOB, then you have r/w access to EB-1 and ro access to EB-2
> and 3.

> If you login as MIKE, then you have ro access to all the edit boxes.

> Have any of you guys written an app with functionality like this? I actually
> have 50 or so screens and 800 or so fields that people can have ro or r/w
> access to. We are using VC6.0 and MFC. I am looking for a maintainable
> solution.

I've worked on an app with similar security requirements.  What we did
was something like the following (this was back in 1993 in 16-bit land,
so forgive me if I'm a little vague at times!  And it wasn't for UPS):

o  We defined a table in our database holding permissions.  It was a
many-to-many link table between our user table and our table of secured
controls.  In addition to the user ID and control ID, the table had a
field for permission : read-write, read-only, no access.  By default, we
assumed that any control would have read-write access if it wasn't
listed in this table, to prevent us from having to maintain all
controls!

o  Each dialog, when started, would query this table for the permissions
for its controls for the current user.

o  Knowing the permissions, we could set the Visible and Enabled states
of the controls appropriately.  In cases where controls were not to be
visible, we would move the remaining controls appropriately.

This worked reasonably well.  There might have been some extra time to
query for the permissions, but in our case any given installation would
have only a handful of users and most of our security was at the level
of "can they see this dialog/menu item/toolbar button", rather than at
the level of the individual control and the UPDATE_UI mechanism worked
for us.

Hope this helps!  Good luck!

   David
================================
The opinions expressed are personal and may not
reflect UPS opinions.  No animals were hurt in
testing these opinions.



Tue, 25 Sep 2001 03:00:00 GMT  
 How to enforce Security in an App?
MS SQL, I presume, assigns access permissions to tables and views
based on login. You should be able to check this fairly easily using
CRecordset derived classes.

If you succeed in opening, you have at least r/o access.

if CRecordset::CanUpdate() return TRUE, then you have r/w access.

I'm not sure how you would map the table permissions SQL allows to the
CEdit::SetReadOnly() call (you're question is too generic), but it
does have the advantage that permissions are set in only one place, so
it should be maintainable.



Quote:
>Gang

>Heres my problem. I have an app that you need to log in to. Your login will
>be verified against an MS SQL 7.0 database. Lets then assume that there are
>3 edit boxes in the main window.

>EB-1
>EB-2
>EB-3

>If you login was SCOTT, then you have r/w access to all the edit boxes.

>If you login as BOB, then you have r/w access to EB-1 and ro access to EB-2
>and 3.

>If you login as MIKE, then you have ro access to all the edit boxes.

>Have any of you guys written an app with functionality like this? I actually
>have 50 or so screens and 800 or so fields that people can have ro or r/w
>access to. We are using VC6.0 and MFC. I am looking for a maintainable
>solution.

>Any thoughts?

>Bob

Don Grasberger
(remove --- from address to e-mail)


Tue, 25 Sep 2001 03:00:00 GMT  
 How to enforce Security in an App?
We have an environment where permissions to functions of an application are
assigned to users or groups of users. The tables that define Applications,
ApplicationFunctions, Users, Groups, GroupFunctions, UserFunctions are all
implemented in a seperate application that allows an administrator to assign
functions to a user, etc, etc. (once they have a login).

In any custom application that we then develop, (unfortunately it requires
hardcoding), we code FUNC=<func-id> in the tag of either (or all) a Menu
Option, a Form, or a control on a form.

A permissions class first determines what functions the logged on user has
(determined at logon time); If none, the application closes.

If some functions are avaliable, menu options are enabled / disabled
according to what functions the user has access to.

When a form loads, it too checks that the user has rights to use the form
(if the function number in the tag is allowed (by interrogating the
permission class) then the form loads. Otherwise it gives the user a
"{*filter*} {*filter*}" message, and unloads.

At the same time, the forms controls are processed by the permissions class,
and any control that has a tag will be disabled if the user has no rights to
the function.

Actually, it is more complex than this, (you can have multiple function ids
in the tag), etc.

Probably best illustrated with an example ...

Functions:
Add customer = 1
Delete customer = 2
Enquire customer = 3

Menu to open customer maintenance form: Tag=1,2,3

Customer maintenance form: Tag=1,2,3

Add button on form: Tag=1
Delete button on form: Tag =2
Close button on form: Tag=<empty>
This way, any user with enquire access can still open the form, but can't
Add or Delete customers.

This is a flexible (albeit simple) solution ... and if you're concerned
about speed ... it is not an issue.

My project has about 35 forms and 90 functions.

Hope that helps ...

Warren Roscoe


Quote:
> MS SQL, I presume, assigns access permissions to tables and views
> based on login. You should be able to check this fairly easily using
> CRecordset derived classes.

> If you succeed in opening, you have at least r/o access.

> if CRecordset::CanUpdate() return TRUE, then you have r/w access.

> I'm not sure how you would map the table permissions SQL allows to the
> CEdit::SetReadOnly() call (you're question is too generic), but it
> does have the advantage that permissions are set in only one place, so
> it should be maintainable.



> >Gang

> >Here's my problem. I have an app that you need to log in to. Your login
will
> >be verified against an MS SQL 7.0 database. Let's then assume that there
are
> >3 edit boxes in the main window.

> >EB-1
> >EB-2
> >EB-3

> >If you login was SCOTT, then you have r/w access to all the edit boxes.

> >If you login as BOB, then you have r/w access to EB-1 and ro access to
EB-2
> >and 3.

> >If you login as MIKE, then you have ro access to all the edit boxes.

> >Have any of you guys written an app with functionality like this? I
actually
> >have 50 or so screens and 800 or so fields that people can have ro or r/w
> >access to. We are using VC6.0 and MFC. I am looking for a "maintainable"
> >solution.

> >Any thoughts?

> >Bob

> Don Grasberger
> (remove --- from address to e-mail)



Sun, 30 Sep 2001 03:00:00 GMT  
 
 [ 6 post ] 

 Relevant Pages 

1. How to enforce Security in an App?

2. Security for mc++ apps

3. throw spec enforced in VC7?

4. Howto enforce static members in subclasses

5. enforcing ansi-ness on gcc

6. RegEx.Replace to enforce Proper Case?

7. ansi c enforcing compiler options

8. can u enforce OOPS in C

9. Enforcing coding standards

10. Looking for programs that enforce coding standards

11. Enforcing Object Oriented Programming in C

12. Enforce stack-based COM object

 

 
Powered by phpBB® Forum Software