StrataFrame Forum » StrataFrame Application Framework - V1 » Role Based Security » BusinessBindingSource and Field Level Secuirty.

BusinessBindingSource and Field Level Secuirty.

fparker — Wed, 11 Apr 2007 08:51:48 GMT

Hello,

I have bound a business object to a ComponentOne grid through an instance of the BusinessBindingSource object. When I attached security keys to some of the business object's fields, it didn't seem to have any affect on the grid - users who do not have access to a field will be able to see it on the grid. Does field level security not work with the BusinessBindingSource object or am I doing something wrong? Thanks for your help.

Fran Parker

MaxQ Technologies, Inc.

RE: BusinessBindingSource and Field Level Secuirty.

fparker — Wed, 11 Apr 2007 08:51:48 GMT

Trent,

No trouble - I just wanted to make sure that I wasn't doing something wrong. Thanks for the update!

Fran.

RE: BusinessBindingSource and Field Level Secuirty.

Trent L. Taylor — Tue, 10 Apr 2007 23:48:02 GMT

Fran,

The BBS at the moment is not respecting the security fields as it relates to binding to a grid and having the same native functionality as bound to any other type of control. This is due to the nature of the IBindindList interface and how it interacts with the grid. This is going to take some time to work through and as soon as we have a solution we will let you know. Sorry for any trouble.

RE: BusinessBindingSource and Field Level Secuirty.

fparker — Tue, 10 Apr 2007 11:36:08 GMT

For what it's worth, I added a standard DataGridView control to my test screen (to remove ComponentOne from the loop) and that didn't help. So, it seems as though field level security is not enforced when a BusinessBindingSource object is used. Can you guys confirm this? Thanks.

Fran.

RE: BusinessBindingSource and Field Level Secuirty.

fparker — Wed, 04 Apr 2007 16:13:06 GMT

Any thoughts on my grid problem? Thanks.

Fran.

RE: BusinessBindingSource and Field Level Secuirty.

fparker — Mon, 02 Apr 2007 13:04:48 GMT

Ben,

Thanks for the info. Now I understand why I wasn't getting the denied action I expected.

Unfortunately, however, I'm still having trouble with my grid screen. I changed the CheckSecurityOnFields property of my object to Always (it had been set to WhenPermissionKeySet) and still the CheckFieldSecurity event is not being fired. On my non-grid test screen, the event does get fired. So, it seems as though having the object bound to the grid is preventing the event from being raised. Any thoughts? Thanks for your help.

Fran.

RE: BusinessBindingSource and Field Level Secuirty.

StrataFrame Team — Mon, 02 Apr 2007 11:45:52 GMT

Ah, yes, when you don't explicitly set a permission on a user, the DefaultPermissionInfo is used for that permission.

I will add an enhancement request to retrieve the DeniedAction from the database when a user is denied by default rather than explicitly denied.

As for the CheckFieldSecurity event, you have to set the CheckFieldSecurity property on the business object so that the event will be raised. Otherwise, the event never gets raised for you to handle it. Sorry I left that out earlier.

RE: BusinessBindingSource and Field Level Secuirty.

fparker — Fri, 30 Mar 2007 10:20:49 GMT

Trent,

I did as you suggested and found that the deny action was Message in both circumstances. With a little further experimenting, I found that this value would always be whatever the default denied action was. So, I can get my test screen, the one without a grid, to behave the way I want if I setup the default permission info as follows:

SecurityBasics.DefaultPermissionInfo = new PermissionInfo(PermissionAction.Deny,"Access Denied.", DeniedActions.ReplaceEachCharacter);

A related thing I noticed by running SQL Profiler is that my screen doesn't make any attempt to find out what the denied action should be for a permission that I don't have. After logging in, the screen executes the following SQL statement which returns only the list of permissions that I have been assigned:

exec sp_executesql N'SELECT * FROM [dbo].[SFSUserPermissionInfo] WHERE us_pk = @us_pk ORDER BY pm_pk',N'@us_pk int',@us_pk=1

Anything permission that I haven't been assigned just uses the DefaultPermissionInfo. For what its worth, my test user is not a memeber of any roles.

Anyway, getting back to my grid screen, changing the default denied action didn't have any affect on the grid. Also, I noticed that the CheckFieldSecurity event never gets fired for the business object bound to the grid.

Thanks for your help.

Fran.

RE: BusinessBindingSource and Field Level Secuirty.

Ben Hayat — Thu, 29 Mar 2007 19:24:44 GMT

[quote][b]Trent L. Taylor (03/29/2007)[/b][hr]No worries :) We use Snagit from Tech Smith. We have met these guys before and they not only have a great product but are really good people as well. (www.snagit.com )[/quote]

Thanks Trent. You did a nice job on the screen shot. Nice & clean!

RE: BusinessBindingSource and Field Level Secuirty.

Trent L. Taylor — Thu, 29 Mar 2007 18:31:00 GMT

No worries :) We use Snagit from Tech Smith. We have met these guys before and they not only have a great product but are really good people as well. (www.snagit.com )

RE: BusinessBindingSource and Field Level Secuirty.

Ben Hayat — Thu, 29 Mar 2007 17:12:44 GMT

Sorry Trent, I meant to quote your screen shot, but I picked Fran's by mistake!

RE: BusinessBindingSource and Field Level Secuirty.

Ben Hayat — Thu, 29 Mar 2007 17:10:58 GMT

[quote][b]fparker (03/29/2007)[/b][hr]Trent,

Thanks for the quick reply. I must be doing something wrong. I used the Security Editor to create a permission with a denied action of "Replace Each Character". I then assigned that permission to a field of a grid bound business object and also to a field of a non-grid bound business object. My program includes the following two lines:

SecurityBasics.DefaultBlockedMsg = "Access Denied.";

SecurityBasics.BlockedReplacementCharacter = '*';

When a user without the permission in question loads a record into the screen, the text box bound to the non-grid object's field will be filled with "Access Denied.". However, the grid column bound to the field in question shows the field's data. Any idea what I might have missed? Thanks again.

Fran[/quote]

Trent, nice screen shot! Would you mind shareing what tool did you use to make the borders of the screen shot like that and also dim the color of the shot and then hightlight the area?

Or did you use the capabilities of the "InstantForum" to do so?
Thanks!

RE: BusinessBindingSource and Field Level Secuirty.

StrataFrame Team — Thu, 29 Mar 2007 17:06:41 GMT

After the user logs in, add a breakpoint somewhere in your app (doesn't matter where) and in the watch window, check the value of the MicroFour.StrataFrame.Security.SecurityBasics.CurrentUser.GetPermission("<permissionname>"); where you replace <permissionname> with the name of the permission you assigned to the user. The returned value will be a PermissionInfo object that will contain the access level and the blocked message. Check to see if the DeniedAction is Message or if it is ReplaceEachChar.

The second thing you can check is the CheckFieldSecurity event on the business object. When you handle the event on the form, you the event args will contain the values that are going to be used to block/replace the message. Check those 2 things and let me know.

RE: BusinessBindingSource and Field Level Secuirty.

fparker — Thu, 29 Mar 2007 16:32:42 GMT

Trent,

I was already using "Replace Each Character". I did as you suggested, however, and created a new project using the "StrataFrame Windows Application with Security" template. I then dropped text boxes bound to both of my business objects onto Form1. When a user without the required permission runs the test screen, the boxes bound to the fields in question both contain "Access Denied." rather than the replacement character. Any thoughts? Thanks.

Fran.

RE: BusinessBindingSource and Field Level Secuirty.

Trent L. Taylor — Thu, 29 Mar 2007 15:32:35 GMT

You have to set the permission of the action to "Replace Each Character" in order for the replacement text to work properly.

This logic is done within the BO and the property. I recommend binding the field to a regulary SF text box until you get the results you are looking for so you know that the BBS is not in the formula.

RE: BusinessBindingSource and Field Level Secuirty.

fparker — Thu, 29 Mar 2007 15:20:06 GMT

Trent,

Thanks for the quick reply. I must be doing something wrong. I used the Security Editor to create a permission with a denied action of "Replace Each Character". I then assigned that permission to a field of a grid bound business object and also to a field of a non-grid bound business object. My program includes the following two lines:

SecurityBasics.DefaultBlockedMsg = "Access Denied.";

SecurityBasics.BlockedReplacementCharacter = '*';

When a user without the permission in question loads a record into the screen, the text box bound to the non-grid object's field will be filled with "Access Denied.". However, the grid column bound to the field in question shows the field's data. Any idea what I might have missed? Thanks again.

Fran

RE: BusinessBindingSource and Field Level Secuirty.

Trent L. Taylor — Thu, 29 Mar 2007 15:05:50 GMT

[quote]Does field level security not work with the BusinessBindingSource object or am I doing something wrong?[/quote]

These security fields will not be respected by the grid as far as showing up. Now if you use the replace with character then you will see the replacement character rather than the actual value.