Kbase P70897: Security based on fields is not working at run-time
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
3/22/2004 |
|
Status: Unverified
FACT(s) (Environment):
Progress 9.1Cx
FACT(s) (Environment):
Progress 9.1Dx
SYMPTOM(s):
Security based on fields is not working at run-time
Compile-time Security
Run-time Security
CAUSE:
When defining Security based on fields thru the Data Administration.
If on one field you only allow to write and to update to an user. The security based on field will only work if you run the procedure not compiled.
Security work when procedure is not compiled showing error messages:
Insufficient access privileges to Field FieldName (233).
Could not understand line 2 (196).
If you compile the procedure where the field which has the security is involved then no security message will appear and the user with no permission will be allowed to access like if no security exist.
FIX:
This is the expected behaviour.
Compile-time Security
Compile-time security checking is built into Progress. You define compile-time security for an application database at the table and field levels to prevent the user from writing their own procedures to access data in the database.
Progress lets you define the type of access rights or permissions different users can have to the tables and fields in your database applications. Progress checks these permissions when the user runs and compiles a procedure for the first time during a Progress session. However, permissions are not checked when the user runs procedures that are precompiled. For information about how to enable security for precompiled procedures, see the "Run-time Security".
If you use CRC-based r-code (the default), the user can compile a procedure against a database that has the same schema as the database (a counterfeit database) and then run the procedure against the database. Since Progress does not check the permissions of the database at compile time, you have no compile-time security. However, you can use the PROUTIL utility's DBAUTHKEY qualifier to set an authorization key for the database. The authorization key prevents unwanted r-code from being run against the database.
Run-time Security
The application developer can provide run-time security to prevent unauthorized users from running precompiled procedures. To establish run-time security, the developer must set up a permissions table within the database.
The permissions table contains records that specify users who are authorized to run specific procedures. Each record in the permissions table must contain at least two fields: an Activity field and a Can-Run field. The Activity field contains the name of the procedure and the Can-Run field contains the user IDs of those who have permission to run the procedure. Within the application, the developer uses the CAN-DO and USERID functions to test whether the current user can run a specific procedure.
As security administrator, you must maintain the permissions table. It is the developer's responsibility to provide the tools to maintain this table.
For more information about run-time security and maintaining the permissions table, see the Progress Programming Handbook.