Applicable Versions: 2.01.0152 and above
Security settings that determine whether or not users can change systems, links and subjects are critical if the security of the business application is to be maintained. To ensure these settings are maintained as designed, regardless of the client machine used to access the system, DataPA allows these settings to be controlled on the server through a business logic procedure.
If DataPA has a DataLocation set to an AppServer (see KB "How do I store my setup centrally on the server rather than on each client?"), it will try and retrieve the security settings from the server when it is first executed. To do this it will attempt to run a server-side procedure called PAGetSecData.p. If the procedure does not exist on the server, DataPA will load the security settings from the registry on the client.
To control client security from the server, follow these steps:
Step 1 - Create a Server Security Procedure
The server security procedure must be called PAGetSecData.p and reside in the PROPATH of the AppServer. The procedure receives the username as an input parameter, and passes back a temp-table with a single record that contains the security settings as an output. You can download example server-side procedures from the downloads section.
The definitions for this procedure should be as follows:
|DEFINE TEMP-TABLE ttSecData|
FIELD AllowLinks AS INTEGER INITIAL 2
FIELD AllowSecurity AS INTEGER INITIAL 2
FIELD AllowSetup AS INTEGER INITIAL 2
FIELD AllowSubject AS INTEGER INITIAL 2
FIELD AllowSystem AS INTEGER INITIAL 2
FIELD RequireSetupPassword AS INTEGER INITIAL 2
FIELD SetupPassword AS CHARACTER INITIAL ""
FIELD UserLevel AS CHARACTER INITIAL ""
FIELD RegUser AS CHARACTER INITIAL ""
FIELD RegOrganisation AS CHARACTER INITIAL ""
FIELD RegSerialNum AS CHARACTER INITIAL ""
FIELD RegCode AS CHARACTER INITIAL ""
FIELD RegCrystalCode AS CHARACTER INITIAL ""
FIELD AllowSetupLockOverride AS LOGICAL INITIAL FALSE.
DEFINE INPUT PARAMETER ip-cUserName AS CHARACTER NO-UNDO.
DEFINE INPUT-OUTPUT PARAMETER TABLE FOR ttSecData.
NB: For versions of DataPA before 3.00.0064, remove the AllowSetupLockOverride field as it was introduced with this version.
The username received by PAGetSecData.p is the username entered by the user when DataPA connects to the AppServer, if available, otherwise the users Windows username. This username can be used to determine the security settings that should be returned. The table below describes the function of each of the fields in the ttSecdata temp-table:
|AllowLinks||Indicates whether or not the user will be able to create, delete and modify links. 0=False,1=True,2=Default|
|AllowSecurity||Indicates whether or not the user will be able to modify security settings for that session. 0=False,1=True,2=Default|
|AllowSetup||Indicates whether or not the user will have access to the setup screen. 0=False,1=True,2=Default|
|AllowSubject||Indicates whether or not the user will be able to create, delete and modify subjects and lookups. 0=False,1=True,2=Default|
|AllowSystem||Indicates whether or not the user will be able to create, delete and modify Systems. 0=False,1=True,2=Default|
|RequireSetupPassword||Indicates whether or not the user requires a password to access the security screen. 0=False,1=True,2=Default|
|SetupPassword||The password required to access the security screen if required.|
|UserLevel||If set to RunOnly, will prevent the user from creating or modifying queries and reports.|
|RegUser||If the client is not licensed, the user name for the client license to apply.|
|RegOrganisation||If the client is not licensed, the organization for the client license to apply.|
|RegSerialNum||If the client is not licensed, the serial number for the client license to apply.|
|RegCode||If the client is not licensed, the registration code for the client license to apply.|
|RegCrystalCode||If the client is not licensed, the Crystal Advanced Developer license code to apply to the client.|
|AllowSetupLockOverride||Set to True to allow the user to override the lock from themselves or another user on setup screen. This will result in the first user being unable to save any changes to the setup files. (Version 3.00.0064 and above only)|
So, for example, if you want to provide all users with access to the setup screen and wizards, you woul need to add the following code after the temp-table definition:
|ASSIGN AllowSetup = 1|
AllowSystem = 1
AllowLinks = 1
AllowSubject = 1.
Step 2 - Configuring the AppServer to use Server-Side security
To configure the AppServer to use Server-Side security settings simply ensure PAGetSecData.p is in the PROPATH for the AppServer. To modify the PROPATH of the AppServer, follow these steps:
- Copy the connect procedure detailed above into the PROPATH of the AppServer
- Start Progress Explorer
- Choose the AppServer
- Choose Action-->Properties
- Expand the Agent tree from the Properties dialog box and select General
- Modify the PROPATH to include the directory containing PAGetSecData.p
- Press OK
- Restart the AppServer
Step 3 - Configure DataPA to use Server-Side Security
If an AppServer is configured correctly to distribute server-side security, simply set the DataLocation to that AppServer (see KB "How do I store my setup centrally on the server rather than on each client?") to configure the DataPA client to use server-side security.