From Dwayne Wright PMP
Certified FileMaker Developer
Please Note: If you are viewing this page in a news feeder, the images may get munged up a bit or other formatting of the posting may fail. For the best experience, please visit the journal directly by clicking (here)
I have to admit, the first time I heard the term of Substantive Privileges, I was a bit bewildered as to its meaning. Looking at the dictionary meaning for substantive, one of the things we get is .... not imaginary; actual; real. So when is a privilege set a FileMaker user been assigned not the real one?
When a FileMaker user is running a script that has the “Run Script with Full Access Privileges” turned on, their substantive (or real) privilege set access restrictions are suspended during the execution of the script.
Now there is a wicked back swing in the use of this setting that can really confuse you. One popular Get function is the Get(PrivilegeSetName). The Get(PrivilegeSetName) function will return the name of the privilege set in use by the current database user.
If you run a script with the "full access" check box selected, it will always return the full access privilege set (and it's associated extended privs) during the scripts execution. So any script that branches in a different direction based upon the Get(PrivilegeSetName) returned result is useless in this situation.
It would be so cool if you could turn "run with full access" on / off during the script like you can with the Set Error Capture? Well, that isn’t an option for us thus far.
So if you want to know what the users privilege set actually is, within a script that is running full access, you would have to set a global field or global variable previously, within a script that is NOT running under full access. This would be akin to a stamping routine with privilege set information to a global marker instead of a dynamic calculation. Personally, I tend to put a Set Variable script step in my opening scripts that sets a global variable to the users sign in account name and their privilege set. It is just something I do by default, whether I know I’m going to use it or not.
Then you can query that global field / variable from there, instead of Get(PrivilegeSetName ), and it should return the correct result. Of course, you would have to re-stamp your globals if you have a re-login routine somewhere.
Another more obscure example of a Substantive Privilege can be when the Re-Login script step action is in play. In cases like this, you may temporarily assign a different user account and associated privilege set to user. However, the use of this is normally regulated to database testing, as a user wants to quickly test the security behaviors of an account without having to close the database and reopen it again.
More info about the author and FileMaker in general, contact me at firstname.lastname@example.org.
© 2009 - Dwayne Wright - dwaynewright.com
The material on this document is offered AS IS. There is NO REPRESENTATION OR WARRANTY, expressed or implied, nor does any other contributor to this document. WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. Consequential and incidental damages are expressly excluded. FileMaker Pro is the registered trademark of FileMaker Inc.