RSS Feed
Knowledgebase : Visual Guard > Manage Permissions > Managing permissions
Can we use the user's windows login without having the Visual Guard .Net login screen appear at all? In case of Active Directory accounts and SSO: When the user starts his computer and opens a windows session, each application opens without displaying VG login window. In case of UN/PW account: A login window has to be opened to ask the user his credentials. You can use either Visual Guard .Net login window or a login window you have developed on your own. Visual Guard
We add an entirely new section to OUR application, which means new roles and permissions need to be added to an existing application. Is there a way to roll changes to Roles/Permissions into an existing installation? This is the initial purpose of VG deployment features: VG automates the process of updating the permissions and roles coming with each new version of an application. When deployed into production, this information does not interfere with the data defined by the administrator (User account...
Which prerequisites must have a variable to appear in the permissions configuration chart? All DotNet controls can be manage by the Permission Editor. You can create properties, and those properties will be visible if you add the interface "VGISecurable" and call the method "SetSecurity" in the class. Visual Guard .NET
How could we define authorization depending on data stored in the db? You can define a VG Expression or a regular expression that would: o Execute a VG action if a condition involving a data is successful For instance: the permission applies if the customer is American SalesOrder.Customer.Country == 'USA' o Apply a value to a property calculated with other data in the form For instance : button cb_2 is visible when button cb_1 is cb_2.visible=cb_1.visible Other examples: * Permissions with paramet...
How can we give authorization based on business rules, e.g. Limited time access to a feature (subscription)? You can define a condition in a VG action to compare a subscription date with the current date. You can also update a property with an expression like: cb_save.visible = (limitDate > System.Datetime.Today). In this case, cb_save remains visible as long as the current date does not exceed limitDate. Visual Guard .NET
How to give access to only a subset of data coming from one table? Option 1: You can build a dynamic query, using a Web Service property to define its "where" clause. You can then dynamically change this where clause with a VG property action. For instance, you can add a "where" clause to a SelectCommand.SqlDataSource property like this: MySqlDataSource.SelectCommand = {CurrentValue} . If the query may already contain a "where" clause, you will take it into account with a regular expression like: ...
How you can handle advanced authorization like configuring the number of items that can be selected in list? You can build a dynamic Query, using for instance the SQL command "limit". This limit would rely on a Web Service Property, updated with a VG property action. Another option may consist in checking the number of rows with a count(*) and executing the query if this count does not exceed a given limit, defined by a property updated by VG property actions. Bottom line, such a permission would inc...
By default, should we develop our applications in minimum or maximum security? Visual Guard supports both options but : For security reasons, we strongly recommend maximum security => You close all doors at development time and open them one by one with permissions and NOT to develop in minimum security. ( "open all door" at development time and close them one by one with restrictions) FYI, Microsoft's security patterns include a strict "nothing-allowed-by-default" policy. The reason is if you fo...
Can we check for permissions in code instead of relying on the console to connect to the application and determining whether certain controls are visible/enabled? You can check in code that the current user has a given permission with the GetPermissionMethod You can also check the role of the current user, get its list of permissions, etc... GetPermissionMethod http://www.visual-guard.com/EN/dotnet-s ... sion_1.htm [1] Visual Guard .NET Links: ------ [1] http://novalys.net/EN/dotnet-security-user...
Question: How can i do the following with VG: The User can log in with their new ID and PW and make changes to some fields of the DB without gaining access to folders or files and other fields or records. Visual Guard does not act directly on the database. VG allows creating permissions on applications written in C# or VB.Net. You can indirectly control access to the database. Lets take an example: You have a C# app. This C# app displays some information from your DB in field A. You can create with VG...
Is it possible to call a "vg permission set" to set form properties directly from script? I want to enable or disable some menu options on the frame based upon some criteria other than the user's role but do not want to hard code this. There are several ways to do that. I believe the best way consist in defining a permission with a condition: * This permission will include a property action enabling menu options. * This property action will include a condition * The regular expression in this conditi...
Hello, I have a lot of forms and I would like to know if there is a way to create several permissions in one time, rather than creating one permission per form. You can create a permission for an ancestor window. It will be applyed to all of its descendants. Visual Guard
When you set a permission (example button.enabled = false) and then as part of the normal application logic when using the program the code tries to set the button to true, does visual guard stop the application from changing this property? If not, is there a nice way to do this? There are several option to get this result: 1) Run the permission after the change done by the application: you can decide to apply a permission on an event of the application rather than on the initialization of the object...
Is the general practice to develop our applications as if the default access will be least privilege? That is, are we best to 'hide' everything by default in code that may be hidden - eg Admin buttons etc, then create a permission that 'shows' the object. It is a best practise to develop your application with the "least privilege by default" but this practise has a cost. It is more difficult for a developer to develop and test in this mode. I think it is a better practise to determine what is very s...
LAYOUT OF THE FORM AFTER HIDING FIELDS When information is hidden (example of the permission "hide personal information"), what can I do to remove the spaces left by the information? When we hide fields (like in your sample), how can we re-arrange the form so that our customers do not see the blanks in place of the hidden fields? You have different options to act on the form layout: You can modify the appropriate property of the remaining components to change their position in your form. You can u...
Is it possible to add a control? Visual Guard allows the modification of existing controls or the execution of a script. So you can dynamically create a control with a script, but more likely will you hide or show existing controls according to permissions. Visual Guard
Is it possible to parameter permissions? It is possible to add parameters to a permission. In the .NET sample, there is a permission "display only information on a country" with a parameter "country" which specifies the country you want to display. When this permission is linked to a permission set, you have to indicate the country (for example for the permission set UK HR employee the parameter is UK). This value may also be indicated by the program in run time. Visual Guard
Can Visual Guard .Net prevent a mechanic to be able to access any parts classed as 'Sales' modules? Yes! The idea is to identify in your applications every object (form, control, link...) which is related to your "sales" module. Then you create "hide" or "disable" permissions for all of them. then, you gather all these permissions in a pemission set (for example "Mechanic permissions") You create a role "mechanic" and you link it to the permission set "Mechanic permissions" You create the user acc...
Can permissions be created that basically do nothing? For instance, create a permission that is not tied to a method, property or control. Basically just a name. The idea would be that I give this permission to a role and in code be able to query if the user has that permission. I believe you would support this but didn't specifically see this in your demo or forum. Definitely. You can create such a permission and query in the code if a user has been assigned this permission. It's possible too for a ...
Where does Visual Guard.Net find the list of components defined in my .NET application? In the source code or in the executable? - For Winform applications, Visual Guard .Net will analyze executable files (starting with the main assembly of the application, then all referenced assemblies). - For Webform projects, Visual Guard .Net compiles the site resources and analyzes the generated assemblies. Visual Guard
When declaring a new application in Visual Guard .Net we indicate an assembly. What if other assemblies are loaded while the application is running to optimize memory usage? No problem: Visual Guard .Net takes into account the main assembly and the referenced ones. Actually, Visual Guard .Net "sees" all objects involved in the compilation. Visual Guard
If we have different repositories, one for each of our environments: development, test, production, Can we copy permissions and permissions sets between environments/repositories? If so, when I'm working in a certain environment, could I know which new elements (roles, permissions, …) have I added to this environment so I can copy them to the other environments? VG provides a deployment tool to deploy security rules from one repository to another. You can read more at: http://www.visual-guard.com/EN...
We have different working environments: development, test, production, … The Visual Guard .Net Console allows you to create, see and manage several repositories at the same time in a tree view. You can create one repository per environment. Could we define different permissions set for different repositories? Definitely. Permissions sets are created and managed in the Visual Guard Win console per applications. A permission set is created for an application. You can manage several applications i...
Is it a heritage mechanism that enables the integration of a set of permissions in another set of permissions? Yes, it is indeed a kind of multiple heritage mechanism. Visual Guard .NET
Applying permissions: Visual Guard offers 2 different strategies to apply permissions to the application: 1 - Static Permissions: *The application retrieves the user permissions from Visual Guard *Then, the application takes some actions to secure itself accordingly *These actions are coded by the developers, in the application. 2 - Dynamic Permissions: *The Visual Guard run-time is embedded in the application. *It retrieves the user permissions. *It executes automatically some actions to sec...
Authorizations define what a user can do in an application: Basically, you define what the user is allowed to see, do and modify in the application. You need to choose between two ways of defining authorizations: * The most secure way is to forbid everything by default, and then grant permissions to open possibilities. This way, if you forget to define a permission, the user won't be able to do something he should, rather than accidentally do something he shouldn't. * The faster way is to al...
Help Desk by Novalys