Using Formspider Security Repository

Formspider Security enables developers to restrict a user’s access to data and UI elements based on his privileges.

Security Data Model

Formspider Security uses the following data model:

Creating and Maintaing Security Repositories

Under “Security > Security Repositories”, Formspider IDE has a new dialog to create and maintain your security models. Click the “Configure Repository” icon to create and edit users, roles and keys in a repository.

Assigning a Security Repository to an Application

Open the “Edit Application” dialog and select a Security Repository from the combobox.

Securing Data

Keys enable access to a data or UI element (resource). A key can represent one of more resources in the application.

Data can be secured at the Datasource Definition and column level declaratively.

Assign keys to control the read or write privilege of a Datasource Definition as shown below:

Once the read or write access is secured with a key, only users who have the key can read or write to Datasources based on the secured Datasource Definition.

Assign a key to control the read or write privilege of a column as seen below:

Once the read or write access is secured with a key, only users who have the key can read or write to the column. If there is a read/write key defined at the Datasource Definition, level, the user must also have this key to be able to read/write to the column.

Data secured this way, never leaves the database i.e. the data is not transferred to the client if the logged in user does not have the privilege to read.

Developers can access the secured data using the api_datasource package without being constrained by the security restrictions.

Securing the UI

UI components that are bound to secured datasources reflect the restrictions set at the Datasource Definition, automatically. For example, a textField bound to a Datasource Column will be rendered uneditable if the user does not have the privilege to write to this column. Similarly, the data in the component will be displayed as ***** if the user does not have the right to read the Datasource Column.

Developer can also assign keys to enable, editable and visible attributes of every UI component in the following manner:

<panel>
  <tableLayout>
    <row>
      <cell>
        <textField editable="#{sec.key5}" visible="#{sec.key6}" enable="#{sec.key7}">
        </textField>
      </cell>
    </row>
  </tableLayout>
</panel>

During run time, any API reference in the PL/SQL code to set the values of these attributes (editable,enable and visible) are ignored by the framework if the attribute is secured with a key and the user does not have the key.

For example, consider the textLabel in the following Panel:

<panel>
  <tableLayout>
    <row>
      <cell>
        <textLabel name="textLabel1" visible="#{sec.key6}" label="Some Secure Text">
        </textLabel>
      </cell>
    </row>
  </tableLayout>
</panel>

During run time, if the logged in user does not have the key key6, the visible value is set to false and any attempt to set it to true will be ignored by the framework.

api_component.setVisible(‘panel1.textLabel1’,’Y’)

will not make the textLabel visible on the screen if the current user does not have key6 assigned.

Populating the Security Repository with Keys

After an application is associated with a repository, the Formspider IDE starts tracking the new keys used in the application and creates the ones that do not exist in the repository.

Security API’s

Formspider Security introduces a new API package named api_security. The package includes the following methods:

login: This procedure is used to log in a user.

logout: This procedure is used to log out a user.

hasKey: This function returns Y if the current user has the provided key, N if he does not. You may use the hasKey API in SQL statements to implement row level security.

  • Marko P.

    Hi!
    I’ve implemented security repository in my FS application. I created user, roles and key and it work on TextField perfectly. When I change user that TextField is enabled or disabled depending on which user is logged in. But, I have problem with MenuBar component. Doesn’t matter if I put key on Menu or MenuItem on enabled property it is always disabled whichever user is logged in.

    • http://www.gerger.co Yalim K. Gerger

      Hi Marko,

      Thank you for trying Formspider and getting in touch. :-) . This is actually an excellent question.

      There is a little trick with the menu bar. Did you attach the menu bar to your application’s mainframe at design time?

      If the menu bar is attached to the mainframe at design time, it will always be created along with your mainframe when you open your application. At that point in time, no user is logged in. So the menu bar will be created before a user can sign in. And once a Formspider UI Object is created, its properties which were set by security keys cannot be altered anymore. So even if you log in afterwards, the menu item stays disabled.

      The solution is to attach the menu bar to the mainframe, after the user successfully signs in to the application. You can use the api_frame.setMenuBar API for this purpose.
      Hope this helps.

      Kind Regards,
      Yalim K. Gerger
      Founder

      • Marko P.

        Thank you for your quick response. It work as you said. I’ve changed and now menubar work just fine when I change user.

  • Jochen

    What about a “How to influence the look & feel of an application”?

    • http://www.gerger.co Yalim K. Gerger

      Hi Jochen,

      In Formspider, the application look&feel is changed using CSS. If you know CSS well, in Formspider it is fairly easy to implement the changes in look&feel you have in mind. If you don’t know CSS though, you’ll have difficulties. So if you don’t know CSS, I suggest you learn CSS first and then changes in Formspider will come fairly easy.

      If you do know CSS, then you can open up Firefox’s or Chrome’s developer tools and figure out which Formspider component is effected by which CSS class and go from there.

      Hope this helps.

      Kind Regards,
      Yalim