Adding Security to your Development

How do you secure the larger stand-alone developments that run within Smart Office?  This is a question that I have had to ask on some developments.  Because your development isn’t native M3 code you can’t secure it through the traditional SES400 or SES003 methods.

So how do you allow some users access to some functions but not others, or just read access, rather than read/write?

We can build our own security model, but then we have to store this information somewhere. Creating a whole database UI and associated webservices is horribly expensive. We can store it in a configuration file on the M3 UI Adapter server – but this makes maintaining it pretty difficult.

Or we can use the MNS405 roles. This had been something that I had traditionally ignored as IFL didn’t use MNS405 (or SES400 security) – we were stuck using SES003 and menu security. But when I was engaged on another customer project I decided to take a little time to investigate.

Under the UserContext.Roles we have a list of the roles that a user is in from MNS410. So what I tend to do these days is create roles for my applications in MNS405, and then assign the operator to that role in MNS410. You application can query the UserContext.Roles to see if the desired role(s) exist and provide or restrict access as appropriate.

A user can belong to multiple roles.

Figure 1 – the roles that an user can be assigned to

Figure 2 – a user assigned to a role in MNS410

You can add roles and associations without using role based security. And it means that your customer can manage your applications security within familiar M3 panels and programs and it really provides an extremely quick and easy way for you to add and check security.

And to test

I’m only assigned to one role, but if I was assigned to multiple roles I would see them listed.

And of-course, a post wouldn’t be complete without some code…

import System;
import System.Windows;
import System.Windows.Controls;
import MForms;

package MForms.JScript
{
   class viewRoles
   {
      public function Init(element: Object, args: Object, controller : Object, debug : Object)
      {
      	debug.WriteLine(UserContext.Roles.Count);
      	for(var i = 0; i < UserContext.Roles.Count; i++)
      	{
      		debug.WriteLine("Role: " + UserContext.Roles[i].Role + " Name: " + UserContext.Roles[i].Name + " Description: " + UserContext.Roles[i].Description);
      	}
      }
   }
}

As Thibaud notes below in the comments, this isn’t designed as a method to replace M3 security as it can be circumvented.

This entry was posted in Development. Bookmark the permalink.

5 Responses to Adding Security to your Development

  1. Indeed, that is a quick and easy way to check “security”; more specifically it’s authorization (who has access to what).

    For the disadvantages of this way (you probably already know this but readers may not), by design users have the ability to disable personalizations which includes scripts, unless the administrator disables that ability but that would defeat the purpose of personalizations. You could use MForms extensions instead, but they don’t apply to H5 Client nor M3 APIs, http://smartofficeblog.com/2013/07/10/introduction-to-mforms-extensions/ . The best and only solution is still M3 security with SES400 (or whatever the new name these days). It’s an endeavor to setup. Infor Smart Data Tool has spreadsheets that make it less of a burden to setup.

    • potatoit says:

      Quite right. I was pitching the technique to secure your own developments, typically stand-alone, which you cannot secure through SES003 or SES400.

      I’ve updated the article to be a little clearer. 🙂

      Thanks Thibaud.

  2. chamath says:

    what is a good ways to get report from MNS405/410/ses400 all together..like what user role connected to which user and how many functions he has access….other than creating SQL query from DB

    • potatoit says:

      I’m not aware of any predefined reports to get this information.

      You might be able to pull something out of the adhoc reporting (AHS100) but I haven’t taken a good look.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s