Knowledgebase
Can we use the user's windows login without having the Visual Guard
.Net login screen appear at all?
In case of Active Directory accounts and SSO: When the user starts
his computer and opens a windows session, each application opens
without displaying VG login window.
In case of UN/PW account: A login window has to be opened to ask the
user his credentials. You can use either Visual Guard .Net login
window or a login window you have developed on your own.
Visual Guard
We add an entirely new section to OUR application, which means new
roles and permissions need to be added to an existing application. Is
there a way to roll changes to Roles/Permissions into an existing
installation?
This is the initial purpose of VG deployment features:
VG automates the process of updating the permissions and roles coming
with each new version of an application.
When deployed into production, this information does not interfere
with the data defined by the administrator (User account...
Which prerequisites must have a variable to appear in the permissions
configuration chart?
All DotNet controls can be manage by the Permission Editor. You can
create properties, and those properties will be visible if you add the
interface "VGISecurable" and call the method "SetSecurity" in the
class.
Visual Guard .NET
How could we define authorization depending on data stored in the db?
You can define a VG Expression or a regular expression that would:
o Execute a VG action if a condition involving a data is successful
For instance: the permission applies if the customer is American
SalesOrder.Customer.Country == 'USA'
o Apply a value to a property calculated with other data in the form
For instance : button cb_2 is visible when button cb_1 is
cb_2.visible=cb_1.visible
Other examples:
* Permissions with paramet...
How can we give authorization based on business rules, e.g. Limited
time access to a feature (subscription)?
You can define a condition in a VG action to compare a subscription
date with the current date.
You can also update a property with an expression like:
cb_save.visible = (limitDate > System.Datetime.Today).
In this case, cb_save remains visible as long as the current date does
not exceed limitDate.
Visual Guard .NET
How to give access to only a subset of data coming from one table?
Option 1:
You can build a dynamic query, using a Web Service property to define
its "where" clause. You can then dynamically change this where clause
with a VG property action.
For instance, you can add a "where" clause to a
SelectCommand.SqlDataSource
property like this:
MySqlDataSource.SelectCommand = {CurrentValue} .
If the query may already contain a "where" clause, you will take it
into account
with a regular expression like:
...
How you can handle advanced authorization like configuring the number
of items that can be selected in list?
You can build a dynamic Query, using for instance the SQL command
"limit". This limit would rely on a Web Service Property, updated with
a VG property action.
Another option may consist in checking the number of rows with a
count(*) and executing the query if this count does not exceed a given
limit, defined by a
property updated by VG property actions.
Bottom line, such a permission would inc...
By default, should we develop our applications in minimum or maximum
security?
Visual Guard supports both options but :
For security reasons, we strongly recommend maximum security
=> You close all doors at development time and open them one by one
with permissions
and NOT to develop in minimum security.
( "open all door" at development time and close them one by one with
restrictions)
FYI, Microsoft's security patterns include a strict
"nothing-allowed-by-default" policy.
The reason is if you fo...
Can we check for permissions in code instead of relying on the
console to connect to the application and determining whether certain
controls are visible/enabled?
You can check in code that the current user has a given permission
with the GetPermissionMethod
You can also check the role of the current user, get its list of
permissions, etc...
GetPermissionMethod
http://www.visual-guard.com/EN/dotnet-s ... sion_1.htm [1]
Visual Guard .NET
Links:
------
[1]
http://novalys.net/EN/dotnet-security-user...
Question: How can i do the following with VG:
The User can log in with their new ID and PW and make changes to some
fields of the DB without gaining access to folders or files and other
fields or records.
Visual Guard does not act directly on the database.
VG allows creating permissions on applications written in C# or
VB.Net.
You can indirectly control access to the database.
Lets take an example:
You have a C# app. This C# app displays some information from your DB
in field A.
You can create with VG...
Is it possible to call a "vg permission set" to set form properties
directly from script?
I want to enable or disable some menu options on the frame based upon
some criteria other than the user's role but do not want to hard code
this.
There are several ways to do that.
I believe the best way consist in defining a permission with a
condition:
* This permission will include a property action enabling menu
options.
* This property action will include a condition
* The regular expression in this conditi...
Hello,
I have a lot of forms and I would like to know if there is a way to
create several permissions in one time, rather than creating one
permission per form.
You can create a permission for an ancestor window. It will be
applyed to all of its descendants.
Visual Guard
When you set a permission (example button.enabled = false) and then
as part of the normal application logic when using the program the
code tries to set the button to true, does visual guard stop the
application from changing this property? If not, is there a nice way
to do this?
There are several option to get this result:
1) Run the permission after the change done by the application: you
can decide to apply a permission on an event of the application rather
than on the initialization of the object...
Is the general practice to develop our applications as if the default
access will be least privilege? That is, are we best to 'hide'
everything by default in code that may be hidden - eg Admin buttons
etc, then create a permission that 'shows' the object.
It is a best practise to develop your application with the "least
privilege by default" but this practise has a cost.
It is more difficult for a developer to develop and test in this mode.
I think it is a better practise to determine what is very s...
LAYOUT OF THE FORM AFTER HIDING FIELDS
When information is hidden (example of the permission "hide personal
information"), what can I do to remove the spaces left by the
information?
When we hide fields (like in your sample), how can we re-arrange the
form so that our customers do not see the blanks in place of the
hidden fields?
You have different options to act on the form layout:
You can modify the appropriate property of the remaining components to
change their position in your form.
You can u...
Is it possible to add a control?
Visual Guard allows the modification of existing controls or the
execution of a script. So you can dynamically create a control with a
script, but more likely will you hide or show existing controls
according to permissions.
Visual Guard
Is it possible to parameter permissions?
It is possible to add parameters to a permission. In the .NET sample,
there is a permission "display only information on a country" with a
parameter "country" which specifies the country you want to display.
When this permission is linked to a permission set, you have to
indicate the country (for example for the permission set UK HR
employee the parameter is UK). This value may also be indicated by the
program in run time.
Visual Guard
Can Visual Guard .Net prevent a mechanic to be able to access any
parts classed as 'Sales' modules?
Yes!
The idea is to identify in your applications every object (form,
control, link...) which is related to your "sales" module.
Then you create "hide" or "disable" permissions for all of them.
then, you gather all these permissions in a pemission set (for example
"Mechanic permissions")
You create a role "mechanic" and you link it to the permission set
"Mechanic permissions"
You create the user acc...
Can permissions be created that basically do nothing? For instance,
create a permission that is not tied to a method, property or control.
Basically just a name.
The idea would be that I give this permission to a role and in code be
able to query if the user has that permission. I believe you would
support this but didn't specifically see this in your demo or forum.
Definitely. You can create such a permission and query in the code if
a user has been assigned this permission.
It's possible too for a ...
Where does Visual Guard.Net find the list of components defined in my
.NET application? In the source code or in the executable?
- For Winform applications, Visual Guard .Net will analyze executable
files (starting with the main assembly of the application, then all
referenced assemblies).
- For Webform projects, Visual Guard .Net compiles the site resources
and analyzes the generated assemblies.
Visual Guard
When declaring a new application in Visual Guard .Net we indicate an
assembly. What if other assemblies are loaded while the application is
running to optimize memory usage?
No problem: Visual Guard .Net takes into account the main assembly
and the referenced ones. Actually, Visual Guard .Net "sees" all
objects involved in the compilation.
Visual Guard
If we have different repositories, one for each of our environments:
development, test, production,
Can we copy permissions and permissions sets between
environments/repositories?
If so, when I'm working in a certain environment, could I know which
new elements (roles, permissions, …) have I added to this
environment so I can copy them to the other environments?
VG provides a deployment tool to deploy security rules from one
repository to another.
You can read more at:
http://www.visual-guard.com/EN...
We have different working environments: development, test,
production, …
The Visual Guard .Net Console allows you to create, see and manage
several repositories at the same time in a tree view.
You can create one repository per environment.
Could we define different permissions set for different repositories?
Definitely. Permissions sets are created and managed in the Visual
Guard Win console per applications. A permission set is created for an
application. You can manage several applications i...
Is it a heritage mechanism that enables the integration of a set of
permissions in another set of permissions?
Yes, it is indeed a kind of multiple heritage mechanism.
Visual Guard .NET
Applying permissions:
Visual Guard offers 2 different strategies to apply permissions to
the application:
1 - Static Permissions: *The application retrieves the user
permissions from Visual Guard *Then, the application takes some
actions to secure itself accordingly *These actions are coded by the
developers, in the application.
2 - Dynamic Permissions: *The Visual Guard run-time is embedded in
the application. *It retrieves the user permissions. *It executes
automatically some actions to sec...
Authorizations define what a user can do in an application:
Basically, you define what the user is allowed to see, do and modify
in the application.
You need to choose between two ways of defining authorizations:
* The most secure way is to forbid everything by default, and then
grant permissions to open possibilities. This way, if you forget to
define a permission, the user won't be able to do something he should,
rather than accidentally do something he shouldn't.
* The faster way is to al...
Help Desk by Novalys