This question is related to my post on how to dynamically set a user's role based on some data (http://forum.strataframe.net/Topic3970-21-1.aspx).



As the plot thickens...



Not all users have their access controlled at the project (application defined 'project', not a VS project) level. Some are 'enterprise' users, who automatically get access to all projects. I have a permission setup, 'AllProjectAccess', which will used to determine which users need access based on project and which have access to all projects.



If the user was logged on when I needed this, this would be easy:



SecurityBasics.CurrentUser.GetPermission("AllProjectAccess").Action



Unfortunately, the user isn't logged in yet. I have a custom login form that handles the OK click and within this procedure, I need to determine:



1. Is the user an enterprise user or a project level user

2. Get default project for user (applies to all users)

3. If user is a project level user, setup appropriate role(s) for the project



When this is done, I continue on with the process, calling me.OnLoginAttempt(), letting the framework do its magic.



So the question is, how do I do step 1? I want to user the framework to handle all the complexities that can occur to finally determine what the action is for that permission.

Well, a user is going to have to be logged in to retrieve any permissions to test on.  Once they are logged in, you can start swapping things around...I had posted a reply to you at some point about creating a custom login form...you can look at that to get an idea possibly.  But you will have to login in order to retrieve permissions (at least through the normal framework functionality).  You can use the SF security business objects and manually load the BO to get the data you want to look at before the login occurs.  That is really the only way I know how to answer you on this one .

Well, what you originally suggested (as I understood it) was to use a custom login form, then use the AuthenticateUser to see if the user was OK, then do my custom work to figure out what role(s) the user has for their 'default' project, load those roles into the SFSUserXRolesBO (clear any previous roles), then log them by calling the OnAttemptLogin(), which would handle logging them in, deal with invalid logins, etc.



I suppose that would have worked, except I actually have two classes of users, those with access to all projects and those with access on a project by project basis. If I have to go through the SFS BOs, I suppose I have to look at SFSRoleXUsers, SFSRolesXPermissions, SFSUserXPermissons all to figure out a permission right?

Is the "Enterprise" user static or change with the project?

In poking around in the Object Browser, I'm wondering if this might work:



' Authenticate user

dim userInfo as SFSUsersBO

dim loginResult as MircoFour.StrataFrame.Security.LoginResult

loginResult = MircoFour.StrataFrame.Security.Login.AuthenticateUser(me.txtUser,me.txtPwd,"",userInfo)



' Create temporary logged in user so we can check to see if they have all project access

dim tempUser as New LoggedInUser

tempUser = MircoFour.StrataFrame.Security.LoggedInUser.CreateNew(userInfo)

If tempUser.CheckPermission("AllProjectAccess").Action = PermissionAction.Deny Then

' Do role setting stuff

End If



Me.OnAttemptLogin()

Greg,

I think this whole think has become much more complicated than it needs to be.  If it were me, I would adjust application to work within the confines of the security so I would not have to make a lot of changes.

For example, when a user comes into the application, they are going to have to choose which project to work on, right?  Why not do something with security at that point.  Or what if your projects allows certain users to associated with it, rather than trying to go the other way around. 

I don't know your application, but I do know that we can come up with a more simple solution that what you have been doing lately.  When it starts getting complicated like this...we always sit down as a team and figure out another avenue to travel.

Yes, it may work fine...but I woudl still consider revising the approach you are taking.

There is a class of users that have enterprise level access. I.e. they can access all projects because they are 'enterprise' level users. They might be executives, users in a departments who help all projects or provide QC on projects.

So going back to my previous post, does the user have to select a project or does it just know somehow which project to open?

But as I understand your security, you don't have the native (i.e. easy) ability to define a set of roles based on some application data element (in my case, some user's roles are defined by the project they are working on).







The application tracks a default project, which is the project that is used when they login.







Er, I thought I was As soon I know who they are (they have been authenticated), I have to figure out if they are 'enterprise' users or 'project' users, which will determine if their roles need to be changed. In all cases I need to figure out their default project, so I can setup the 'context' for the application.







Huh? I'm associating projects to users (remember, 'project' is an in application term, describing data within that application, not a VS project), or if you prefer users to projects. It is a linking table (userID, projectID).







I'm all ears, But here is what I'm dealing with:



1. Two basic classes of users: those who have access to all projects and those whose access is determined by project.

2. For users who have access determined by the project, I will need to dynamically set the access based on project.

3. In SF (as I understand it), I must set the roles for a user before they are logged on.