mrc Documentation
michaels, ross & cole, ltd.
http://www.mrc-productivity.com/

 

Advanced Record Level Security for Web 2.0 Applications

 

Advanced Record Level Security is a highly flexible technique for controlling the records returned based on the application user.  The concept is similar to mrc standard record level security, but it allows multiple key values per user and eliminates the need for sequencing the application by the security key value.  The following few steps demonstrate the technique.

 

1. Create a security table and populate it with data. It may contain several records per user.  You must enter the username in ALL UPPERCASE. Doing this will allow for the end user to be non-case specific at runtime.

 This example has fields Profile (10A), Relationship (2A), and Values (99A).  Valid values for the Relationship field include:

 

EQ      Equal to               

GE      Greater than or equal to

GT      Greater than           

LE       Less than or equal to  

LS      Is in the list         

LT       Less than              

NE      Not equal to           

NG      Not greater than       

NL      Not less than 

RG      Is in the range

SW     Starts with

 

 

2. Create a retrieval (inquiry) application over the security table.

 

 

 

Here is the listing of all the fields used in the retrieval application.  Sequence your application by the field containing user profile (USRNAME in this case). Please do not name the user field USER. That is a reserved Java field.

 

 

Select the Web 2.0 Multi Record Inquiry template in the 'Application Defaults' link from the 'Application Options' screen. Click the Accept button to save your changes and compile your application. This specific template allows you to create a java object that can be defined as an external object and then used in other applications.

 

3. Define the logic generated in Step 2 as an external object with the following attributes:

Object Type is M

Class is DD.IXXXXXs

(where DD = Data Dictionary, XXXXX = application number of the inquiry created in Step 2.)

Method is getCondition

Classpath is /mrcjava/WEB_INF/lib/.

 

 

Define one parameter which has attributes matching the key database field.  This example uses the 'Customer Number' field (6.0).

 

4. Create a servlet application (retrieval, graph, report, summary or maintainer application) that employs the advanced security logic.  Use the external object defined in Step 3.  Select template location *ADVRECSEC and map the field from the application to the object parameter.

 

 

After clicking the Accept button, the 'External Object Review' is displayed where you can validate the selected external object name, template location and the parameter mapping.

 

5. Compile and execute the application with debug turned on to see the SQL statement affected in the WHERE clause. Ensure that you are authenticating the end user so that a user name can be retrieved by the Java program. Please see this document for mrc built-in security.

 

Please note: There are no case restrictions at runtime. Meaning, the end user can type their username in any case he or she wishes and their security application will work as designed.