By Kevin Lingofelter - 4/25/2006
Greetings!I am going to be posting some of my wishlist for Strata. Some of my ideas are pretty long winded, so I thought I should create a post for each one. Better security support
I would like to see role based security implemented in the layers: Framework
1. A global object which identifies the curernt user. This identity would include username, roles collection and whether or not the user has been authenticated. It would also include methods which allow the username, password and roles collection to be modified. Another handy utility would be a function which is passed a role as an argument and it returns true if the user is in that role.
2. A User/Role editor which can be used by the programmer in their applications. These are pretty standard and would fit nicely with some of the existing SF forms already in use. Of course, the programmer can use their own form to manage uers and roles.
UI
A RequiredRole collection for Strata UI components which is bound to a specified property which can be bound to a certain property, for example the read-only state, visibility, enabled, etc. Before a control is rendered, it checks to see if the user is in the declared role(s). If not the control's property is toggled accordingly. Forms can also respond to the RequiredRoles collection by either throwing an exception or displaying the login form, etc.
Imagine this scerio: txtSellingPrice
RequiredRoles = {"Manager", "Owner"}
BoundProperty = ReadOnly If the user logged in is only a member of SalesClerk, the selling price would be readonly. If Manager and Owner, then the textbox would be editable. In the change event, I could then allow the changes to be limited by role. For example, if Manager is logged in, allow price to be changed up to 3%, the Owner can change it to whatever he/she likes. This would allow for a more declaritive security model. If the existing secuirty model is extended to utilize roles, the programmer can also have "low level" security hooks to do whatever they wanted. Thoughts?
|
By Trent L. Taylor - 4/25/2006
Kevin,You'll be glad to know that this one is already in the works  ! We have already started the process and plan on even allowing it to be data-driven as well. I will elaborate on it more later, but this feature will be added to the framework.
|
By Kevin Lingofelter - 4/25/2006
Sounds great! Let me know if you need testing. Can you indicate any timelines?
|
By StrataFrame Team - 4/25/2006
If you only knew, Kevin...
Like Trent said, we're developing the security right now based on the Users/Roles approach... each permission will be assigned a key, much like the localization key, and when you assign a permission key to a control/form/object, that permission is required for the user to view/interact with that control/form/object... as for a timeline, we're not sure, but it will definitely be in version 1.5. There will be a global User object that indicates the currently logged-in user (it will be a business object containing the record for that user).
|
By Larry Caylor - 4/25/2006
Ben,In designing your new security are you considering provding the ability to use Windows authentication and Active Directory groups (roles)? -Larry
|
By Trent L. Taylor - 4/25/2006
Larry,The overall design is relativly encapsulated. However, if you have a desire to use Windows Security and AD, you could easily write a program to import settings and assign permissions.
|
By Larry Caylor - 6/3/2006
In the security scheme that you are designing it would be nice if you included an option to use Windows authentication (the Windows/Active Directory user ID and password) or custom authentication where the user ID and password is stored in the application DB. The actual roles would be defined in the framework and not Active Directory. Also do you plan to support multiple roles assigned to both users and objects? -Larry
|
By StrataFrame Team - 6/4/2006
Yes, we support the ability to assign multiple roles to users. However, you don't assign roles to objects, but rather a "permission key." When you assign a permission to a role or to a user, you assign an action along with that permission. So, when the user logs into the system, the system builds a list of the permissions that have been assigned to that user and the action(s) for each permission. The permissions are then linked to the permission keys that are assigned to objects within the application.As for windows security, we will definitely keep all permissions within the application's db and out of Active Directory. We're also probably going to allow the ability to link a particular user to the SID of an AD user to allow for Windows authentication.
|
By StrataFrame Team - 6/4/2006
You'll be happy to know that the security will be in the next release. Probably when 1.4.1 switches from pre-release to full release.
|
By Kevin Lingofelter - 6/4/2006
oooh...=)Will we have the standard strata type forms, etc. to implement the management or will we have to build something? Yeah, I know, it's lazy, but it's Sunday...=) Looking forward to this.
|
By StrataFrame Team - 6/5/2006
The security keys will be right on StandardForm... no templating required. Just set the permission key on the form to define the permission that is required to view/edit the form and then define the permission within the database (same functionality on the field-level, too).
|
By Kevin Lingofelter - 6/5/2006
Hmm..how about the ability to allow users to change roles, permissions, etc.?
|
By Trent L. Taylor - 6/5/2006
Absolutely. There is a dialog form that you can display to the end-user to manage all of the roles, users, and permissions associated with the roles and users. It is very flexible and gives you complete control without actually having to write the end-user interface yourself.In the same approach we have taken throughout the framework, we have implemented features that give you as much or as little control over the security that you would need.
|
By Kevin Lingofelter - 6/5/2006
Perfect!
|
By Trent L. Taylor - 6/5/2006
I really think the security will "float your boat" . It is going to be a spectacular addition to the framework!
|
By Wayne Van Rooyen - 6/6/2006
Hi,
I can remeber if i saw this in the documentation somewhere. StrataFrame currently does support field level access, is this correct, and if it is how would this be affected or implemented with the additions you are doing to the security of forms right now.Wayne
|
By Trent L. Taylor - 6/6/2006
StrataFrame does currently support field level security but it is not data driven. Without the security module you would have to manually capture the CheckFieldSecurity event and program your logic. With the security module it is data driven allowing a permission to be associated with the field level access. For example, one type of role (or a specific user) may be able read the address information but not write to it. So the role or user account will either be assigned a field level permission with an action assigned. An action determines the type of access. For example: write, readonly, blank, blank with message, replacement characters, and regex replacement. So the field level security can be data driven and will respect the users permissions.
|
By StrataFrame Team - 6/6/2006
In fact, we used the CheckFieldSecurity hook that was already in place to check the field level security, we just made it data-driven, like Trent said.
|
By Kari Paukku - 6/23/2006
Hi,"You'll be happy to know that the security will be in the next release. Probably when 1.4.1 switches from pre-release to full release. " How close are we to the 1.4.1 full release and would it be possible to get a video sample of how these new security features can be used. Kari
|
By Trent L. Taylor - 6/23/2006
Kari,It will be July before the 1.4.1 release is official and the security module becomes available for use. When we release the security module, there will be samples to help you along the way. And yes, we will more than likely create a video to post on the forum showing how to use the security features.
|
By Kari Paukku - 7/12/2006
Hi,any new info (dates, features etc) on the next release...? Kari
|
By Trent L. Taylor - 7/12/2006
We will more than likely make the 1.4.1 version official and release it by the end of July. There have been a number of updates made and we will post a full list in the help and on the website soon.
|
By Larry Caylor - 7/13/2006
Will the doc be updated in the next release to cover the new features?-Larry
|
By Trent L. Taylor - 7/13/2006
Yes. This is the goal.
|
By Randy Jean - 9/8/2006
Looking forward to these enhancements as well.
One more request to add: Menus (ToolstripmenuItems) to be security aware. For instance, if a user doesn't have access to a specific "permission key" that key can be assigned to a menu item to disable or hide it at runtime. This way, the user has a clue they can't run something (or they just plain don't see it) rather than having to display a "access denied" message after they click the menu.
|
By StrataFrame Team - 9/11/2006
Tying the security into the menu system is certainly a large enhancement request, however, if you subclass a ToolStripMenuItem (button, separator, label, etc.), you must also re-create the control designer(s) for the menu itself. The problem is that the control designer for the menu has the ability to add the menu items to the control, and there is no way to extend the control designer to tell it to add an new instance of our subclassed menu item over the base menu item. For now, you have to manually test the permissions in code and disable/enable or show/hide the menu items accordingly.
|
By Randy Jean - 9/11/2006
OK, doesn't sound like it should a big deal to do in code, especially if I can just add the security key to an unused property and iterate through the menu options after it's loaded.
Any new info on expected date of the next release?
|
By Trent L. Taylor - 9/11/2006
The new release will be made available on September 22, 2006. The Security Add-on can be purchased that same day. 
|
By Randy Jean - 9/12/2006
How much will this addon cost? Also, not to sound cheap or anything, but shouldn't security be part of an application framework vs. an add-on? Other frameworks we use come with security out of the box. Of course, you're free to use or not use their security, modify it, use your own, etc., but at least it's there if you want it.
|
By Trent L. Taylor - 9/12/2006
The Role-Based security add-on is $295 per developer. As for being included in the framework by default, the answer is no. First, we provide all of the events and hooks in the framework to allow you to implement your own security if you choose not to purchase the role-based security. But the Role-Based security that we are about to release far exceeds anything that any other framework provides. This is the most robust security engine that I have seen and it will also include auditing, which is another piece that is not provided by any framework (to my knowledge). The security even comes, out-of-the-box, with multi-lingual support. All labels, messages, etc. all already provided in several languages and it will continue to grow. Additionally, you do not have to do anything other than specify the locale ID that you choose to use (which can be changed at run-time since it uses the standard StrataFrame localization engine. We also provide all of the end-user dialogs, session locking, end-user documentation, and a number of other things. This is more than a "band-aid" solution to security and comes with all of the bells and whistles and this is why this is an add-on, not just an inclusion.Through this process, new products have been introduced in the Messaging and Localization that we give you with no additional fee which includes translation tools, client translation packaging and tracking, and more. I hope this answers your questions.
|
By Kari Paukku - 9/13/2006
Hi,
"The new release will be made available on September 22, 2006. "Do you know, will the StrataTrain E-Reference
(http://www.stratatrain.com/buyIt1.html) be ready when the next release of SF is made available and will it contain material for the new features, such as the security add-on?
Kari
ps. Any info on the E-Reference pricing...?
|
By StrataFrame Team - 9/13/2006
Looks like the Volume 1 of the StrataTrain E-Reference will be available on or around the release date of 1.5. However, the E-Reference is lagging slightly behind the product in certain areas. For instance, it does not currently contain any information pertaining to the security module, but it does contain information on most of the advanced business object features that have been added since the initial product release.
|
By Randy Jean - 9/13/2006
Trent,
Yes, this answers my questions. Thanks. Again, meant no offense as to your decision not to include it but mainly needed know the price.
The "other" framework I refer to specifically is for Visual Foxpro and the initial subscription cost is about the same as Strataframe current pricing w/Security add-on. And although this VFP framework has a very good security implementation, the one you describe definitely sounds more robust. For instance, the ability to assign more than 1 role to a user, auditing, etc.
Thanks again,
Randy
|
By Trent L. Taylor - 9/13/2006
No offense was taken, I just wanted to make sure you understood why we have the security module as an add-on versus an included feature. Thanks for your comments.
|