“I would like to prevent customers from viewing records that are not theirs.

How can I do this in a servlet report?”

By using record level security in servlet reports, you can prevent users from accessing the data that does not "belong" to them. Assigning a user profile to a specific record will ensure that only records that are assigned to that user will be displayed.

In order to implement record level security in servlet reports you will need to follow a few steps.

Step 1: Create a security file that assigns a user to a certain value. Create a simple file containing 2 values: 'USER PROFILE' and the value ('CUSTOMER#' in this example). You can easily use mrc to create this file. Key the application by 'USER PROFILE'. Load data into the file by assigning several Users to specific a value.

As an example, I've assigned to my user profile JERONIM Customer# 100200. If your system already accomplishes security at the record level, a file might already exist and contain data, which you can use for security.

Step 2: Create a retrieval application (as an external object) that uses the security file. Then, create a Retrieval application that uses the file created in step 1. It should retrieve the current user. Test that user against the file, and return the value assigned to that user.

A. If using the Black & Green screen (B&G) developer version of the mrc-Productivity Series, select the R8 (Web/Servlet) External Object Inquiry template in Client/Server option.

Client/Server Option for B&G (Click to enlarge)


B. If using BED (Browser Enhanced Developer) select the R8 (Web/Servlet) External Object Inquiry in Web Option.

Web Option for BED (Click to enlarge)


Step 3: Define that program as an external object to mrc. A. If using B&G Developer use option 44 on B&G from the main menu to define the external object.

Definition B&G (Click to enlarge)


Parameters B&G (Click to enlarge)


B. If using BED (Browser Enhanced Developer) select the 'Data Dictionary' tab 'Manage External Objects' link and click 'Create' to add external object definition.

Definition BED (Click to enlarge)


Parameters BED (Click to enlarge)


Step 4: Create a report that uses the Security external object. Sequence it by the value you assigned to the profile field you created in Step 1 (Customer# in my example.) Then select the external object you've defined in the previous step, pass the appropriate field(s) to the object parameters, and specify *STRRCDSEC for template location.

Note: Make sure that you specify runtime selection criteria in option 4 for this report (in this case Customer# EQ ?). So the application will get populated only with the value (Customer#) assigned to the user profile sign in.

External Object BED(Click to enlarge)


External Object B&G(Click to enlarge)


Step 5: Modify httpd.conf file for the Apache instance that runs mrc applications by adding location statement (see below):

<Location /mrcjava/servlet/MRCEDUCATE.R01775s*>
Require valid-user
AuthType Basic
AuthName User_Customer_Security
PasswdFile %%SYSTEM%%
UserID %%SERVER%%
</Location>

NOTE : This specific <Location> statement will prompt the user for their iSeries (AS/400) user profile and a password when they try to access R01775 report.

Step 6: Restart the apache server for the changes that you've added in step 6 to take place.

Step 7: Access the report application created in step 4. You should get prompted for a sign on. (like this) After you sign on you will only see records that are "yours" — based on the values in the file created in step 1.

Results (Click to enlarge)


Note: This example shows how to validate user profile against an iSeries (AS/400) user profile. If you want to restrict access to the records for users that do not have iSeries (AS/400) profile you can validate against a validation list.

Have a hotline question of your own? Send an e-mail to support@mrc-productivity.com and let our product specialists help you!