User Role ( read only, read and write or no access) deppending of LDAP Session Info's

Manfred · May 20, 2015, 12:39pm

Hello
I would like to be able to give Users read only, read and write or no access on Tables.
Based on this thread: Relativity Server with LDAP - #19 by Manfred

I updated my LDAP Server with a Filed called description.
I can access this Filed with this:

log('description = ’ + session[‘Login.description’] + ‘’);

Now i would like to do this:
There are Tables:

If  session['Login.description']  contains this:
MEMBER,MINUTES
then 
MEMBER,MINUTES
= read Only

.

If  session['Login.description']  contains this:
MEMBER-rw,MINUTES-rw
then 
MEMBER,MINUTES
= read writh

.

If  session['Login.description']  does NOT contains this:
MEMBER,MINUTES
then 
Tables are not Accessible.

How could this be done?
Manfred

antonk · May 20, 2015, 5:55pm

Hello

For example you could use the following JS script. It should be declared in Global scope, no need to copy it for each table:

// Called during validation of request (fetching) for a data table. Should return true if access to the table should be allowed
function onValidateDataTableAccess(name, parameterNames, parameterValues, currentAllowed)
{
//    session['AccessRights'] = 'Orders';
    
    return session['AccessRights'].split(',').indexOf(name) >= 0;
}


// Called for each delta on the server before it's applied
function beforeProcessDelta(delta)
{
 //   session['AccessRights'] = 'Orders,Orders-rw';
    
	if (session['AccessRights'].split(',').indexOf(delta.name + '-rw') < 0)
	  fail('You cannot update the table ' + delta.name);
}

A few notes:
If there are, say, a dozen of tables in the Schema, but only 2 of them should have restricted access, then you’d need to add code like

if (name.toUpperCase() !== 'My_Filtered_Table'.toUpperCase())
    return true;

This is needed to prevent filtering code execution for tables that don’t need it.

onValidateDataTableAccess is called on each ‘GetData’ access to the table, beforeProcessDelta is called on each data update attempt.

Also I’d suggest to upper-case the strings you compare to prevent false-positive (or, much worse, false-negatives) check results.

Regards

Manfred · May 22, 2015, 9:46am

Thank you for your Replay.
Struggling with adapt this to my case…Sorry…
I need restricted access to these Tables.

MEMBER,TESTIMONY,MINUTES

In LDAP i have a line with this: MEMBER,TESTIMONY,MINUTES
If i check the Log that is generated with this:

log('AccessRights = ’ + session[‘Login.description’] + ‘’);

I see that the “rights” are “recived” MEMBER,TESTIMONY,MINUTES

// Called during validation of request (fetching) for a data table. Should return true if access to the table should be allowed
function onValidateDataTableAccess(name, parameterNames, parameterValues, currentAllowed)
{
	log('AccessRights = ' + session['Login.description'] + '');
	if (name.toUpperCase() !== 'MEMBER,TESTIMONY,MINUTES'.toUpperCase())
		return true;
	return session['Login.description'].split(',').indexOf(name) >= 0;
}


// Called for each delta on the server before it's applied
function beforeProcessDelta(delta)
{
	if (session['Login.description'].split(',').indexOf(delta.name + '-rw') < 0)
		fail('You cannot update the table ' + delta.name);
}

I still have Access to the Tables…
I am sure i ammissing something…

antonk · May 22, 2015, 12:00pm

Hello

Code is adapted for your case:

function onValidateDataTableAccess(name, parameterNames, parameterValues, currentAllowed)
{
    name = name.toUpperCase();

	if ('MEMBER,TESTIMONY,MINUTES'.split(',').indexOf(name) < 0)
		return true;

	return session['Login.description'].split(',').indexOf(name) >= 0;
}

function beforeProcessDelta(delta)
{
    var name = delta.name.toUpperString() + '-RW';
	if (session['Login.description'].split(',').indexOf(name) < 0)
		fail('You cannot update the table ' + delta.name);
}

Btw if you store string ‘MEMBER,TESTIMONY,MINUTES’ in LDAP then you won’t have write access to the tables (as per your initial post). Full read-write rights line would be ‘MEMBER,TESTIMONY,MINUTES,MEMBER-RW,TESTIMONY-RW,MINUTES-RW’

Hope that helps

Manfred · May 22, 2015, 12:18pm

As always great help.
Thank you very much.

Shalom
Manfred

Manfred · May 22, 2015, 3:40pm

I would like to show in the Client if he has write access to the table.

  if tbl_member.ReadOnly =true then
     frm_member.lbl_status_led.Caption:='read only';
  if tbl_member.ReadOnly =false then
     frm_member.lbl_status_led.Caption:='read write';

With the Settings on the Server ( in the previus Post ) to Table look still ReadOnly =false

Manfred

antonk · May 22, 2015, 5:41pm

Hello

True, because these Scripting checks don’t affect the Schema itself, where you do check the ReadOnly flag. It remains false all the time.

What you need to do is to ask the server for the access rights description string (once after successful login), decypher it using similar rules as in Script and then use that data in your app.

While Relativity Server exposes the SessionManagementService that allows to read or set session values, this service doesn’t provide access to Login.[name here] session values because they can contain sensible information.

But you can still expose access rights description string as a table.
To do this
1.Add a new table to the Schema (right-click the Tables one), set proper (like AccessRights) name and set its ReadOnly flag to true
2.Go to Statements and add a Statement there
3.Set Statement type to SQL
4.Set Statement text to

SELECT
  "1" as description

5.Open ‘Mappings’ tab and press ‘Create/Reset’ button
6. Go back to SQL tab and change SQL to

SELECT
  {description} as description

7.When prompted to update fields say 'No’
8. Go to global Scripts and update your onUnknownSqlMacroIdentifier function to handle the description macro:

function onUnknownSqlMacroIdentifier(name)
{
    // Existing code goes here

    if (name === 'description')
        return '"' + session['Login.description'] + '"';
}

Now you can access this table from client, read its single data line and use the retrieved data to setup the interface as needed.

Regards

Manfred · May 26, 2015, 3:45pm

Great. It just works.
It is great to work with your Component!
Shalom
Manfred

Manfred · May 29, 2015, 1:34pm

Hi
Just a followup question.

The User-Role Settings are working.
But i found out since there are quite some Tables to Set ( 14 ) the String is getting to long.
Since i need every entry 2 Times.

TABLE1,TABLE2,TABLE3,TABLE1-RW,TABLE2-RW,TABLE3-RW…

I did not find a way to say, if the User has -RW the of course he has also read Access.
Instead of TABLE1,TABLE1-RW it would be better only TABLE1-RW.

// Called during validation of request (fetching) for a data table. Should return true if access to the table should be allowed
function onValidateDataTableAccess(name, parameterNames, parameterValues, currentAllowed)
{
	log('AccessRights = ' + session['Login.description'] + '');
    name = name.toUpperCase();

	if ('TABLE1,TABLE2,TABLE3'.split(',').indexOf(name) < 0)
		return true;

	return session['Login.description'].split(',').indexOf(name) >= 0;
}

function beforeProcessDelta(delta)
{
    var name = delta.name.toUpperCase() + '-RW';
    
	if (session['Login.description'].split(',').indexOf(name) < 0)
		fail('You cannot update the table ' + delta.name);
}

Any Tip on this Topic.
Shalom
Manfred

antonk · May 30, 2015, 7:34am

Hello

F.e. you could do the following:

Instead of

return session['Login.description'].split(',').indexOf(name) >= 0;

call

    var tables = session['Login.description'].split(',');
    return (tables.indexOf(name) >= 0) || (tables.indexOf(name + '-RW') >= 0);

Regards

Manfred · June 1, 2015, 3:18pm

Thank you very much.
This works fine.

Shalom
Manfred