From Dwayne Wright PMP, PMI-ACP, CSM
Certified FileMaker Developer
I would highly recommend testing all privilege sets with test accounts that you setup in a FileMaker solution. I recommend testing even more ( higher and higher if you will ) before putting your FileMaker solution LIVE on the network or internet. . Test, Test and Test again, it's much easier to fix security issues in a file before you make it available to other users. Close the database and open it with each password in a defined group. You should try to add test data, navigate screens, click buttons and perform scripts. If your database allows web browser access, xml access or any other access technology, test it under different security environments.
If possible, recruit others to test your system. I would recommend creating something for the users to reference during the testing period. You may get much better results if you give the testers an idea of what you are looking for. Testing includes menu commands, layouts, scripts and others. As you might guess, a secured menu command is different than a secured layout. So we are going to briefly discuss what to expect when you are testing for password or access privilege settings.
Layouts ... when a user does not have access to a layout, the entire layout is covered with a gray film with the words of “Access Denied” barely visible. When you are testing this, your goal is to make it so that a user will not encounter the gray screen of death on a particular layout.
Another security setting option is the Read Only Access setting. On the surface, you cannot tell a read only layout from a full access layout. You have to try and create or edit information on the read only layout before you discover the difference. That would be a dialog box that comes up with the message of ... “Your password does not enable you to do this or this file is not modifiable.”
Menu Commands... when you have removed access to a menu command, that menu command option will be light gray. For example, you can away the ability to allow a user to change their password. The command will still be in the same place but it will be gray instead of black.
Fields ... prepare for Deja Vu because this is going to sound a little familiar. When a user does not have access to a field, the entire field box is covered with a gray film. As a developer, you will want to limit this as much as possible. Sometimes, you have not option. However, showing someone what you are not allowing them to see ... is distracting at the least.
Another secure option is the Read Only Access setting. On the surface, you cannot tell a read only field from a full access field. You have to try and create or edit information on the read only field before you discover the difference. That would be a dialog box that comes up with the message of ... “This field is not modifiable.”
To help in your testing, you can create a test launcher file with a scripted log on for each privilege set. I’ll cover this in more detail in later discussions.
More info about the author and FileMaker in general, contact me at firstname.lastname@example.org.
© 2007 - Dwayne Wright - dwaynewright.com
The material on this document is offered AS IS. There is NO REPRESENTATION OR WARRANTY, expressed or implied, nor does any other contributor to this document. WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. Consequential and incidental damages are expressly excluded. FileMaker Pro is the registered trademark of FileMaker Inc.