Welcome!

SAP Authors: Elizabeth White, Liz McMillan, Dana Gardner, Cynthia Dunlop, Carmen Gonzalez

Related Topics: PowerBuilder, .NET, SAP

PowerBuilder: Article

DataWindow Magic: Menu Security

Designing and implementing your own

Security is a must for most corporate applications. This article will give you a starting point to designing and implementing your own. We will do it with a table that is added to the example database and implement it in ancestor code. The idea is that you should only have to add rows to a table to implement your security.

The Table
The security table will provide a means to turn on and off controls and menu items as our inherited objects are constructed.

Security

Login_name varchar(20) PK

Application varchar(20) PK

Item_type varchar(10) PK

Item_name varchar(20) PK

Priviledge varchar(2)

 

Security

Column Name

Data Type

Description

Login_name

Varchar(20) PK

The login name of the user

Application

Varchar(20) PK

The name of the application

Item_type

Varchar(10) PK

Might be window or menu or a type of control in a window like a command button. We will only cover menu types in this article.

Item_name

Varchar(60) PK

Menu item name like "File" or "New"

Priviledge

Char(2)

NULL = no priviledges

R = read only

I = Invisible

W = read/write

The Item Datastore
Although I had several choices I decided to create a datastore that would return all of the specified item types for an application. If I was in a menu I could look for menus. If I was in a window I could look for windows.

Ds_security_list data source

SELECT "security"."application",  
"security"."item_name",  
"security"."priviledge",  
"security"."login_name" 
FROM "security" 
WHERE ( "security"."item_type" = :as_itemType ) AND 
( "security"."application" = :as_appName ) AND 
"security"."login_name" = :as_loginName

This will give you all the items and privileges for the supplied application name and itemtype.

Now that we have this we can start our menu.

The Root Menu
Menus don't have constructors. We are going to implement our security with a function. I created a new menu and added a function called mf_loadSecurity.

Here is the code for mf_loadSecurity

M_root.mf_loadSecurity(as_loginName, as_appName)

// First get a list of all menu security items
datastore lds
lds = create datastore
lds.dataobject = "ds_security_list"
lds.settransobject( sqlca)

// Now retrieve
long ll_row, ll_max
ll_max = lds.retrieve(as_loginName, as_appName, "menu")

Let's discuss this code a little before we continue. As you'll see, handling a menu programmatically, for any reason, is necessarily complex.

The menu object has an array of items in it. Each of those items is another menu item that also has its array of items.

If the array of items in any particular menu item has no elements, then that is a bottom level menu item. If there are elements in the array then those elements compose the sub-menu for that menu item.

You might want to read the last couple of paragraphs a few times. Here, let me give you an example.

For my article I created a menu object inherited from m_root and named m_main that looks something like the following:

I didn't want to confuse the issue too much so I put in only the File menu option along the top. Under File I put New and Exit. Under New I put Test 1, Test 2, and Test 3.

Here is how the menu looks in the menu painter.

Note that I have an item called Invisible in the menu. This comes from m_root. I put it there to implement system-wide shortcuts. The visible property for this is FALSE.

For our test we are only concerned with the Test 1, Test 2, and Test 3 menu items. I am going to make Test 1 read-only and Test 2 invisible.

Since we have this metaphor of arrays of menu items within menu items we are forced to use recursion. Don't worry, though, we'll walk through it.

Recursion
Recursion has been known to throw even the bravest programmer into fits of apprehension. Essentially we need two functions. One just fires off the recursive function for every element in its item array. The recursive function will check to see if the arguments to itself are a match. If so, it returns itself. If they are not then it loops through its own item array, calling itself for each element.

The function mf_loadSecurity calls the recursive function. The first part loads the datastore that holds the security list. We have already defined that. The mf_loadSecurity takes two arguments. Those are the arguments that are used to retrieve that array.

Once we retrieve that datastore we have a row for every row in the security table that matches the login name of the user and the application name has an item_type of ‘menu'. At this point we are not worried about the window security. The mf_loadSecurity will loop through all of those to work its magic.

Note that I could have gone the opposite route and looped through each and every menu item recursively then done a singleton select in each one. I chose the former because I think it will be rare that we will have a row for all of the menu items and thus this will be a faster response time. Here we do one call to the server for the result set rather than one call for every menu item.

I loop through every row. I extract the privilege and the item name for each row. I call the recursive function for each row, looking for the item. I pass myself and the item name.

The recursive function mf_findMenuItem will return the found menu item or a null. If it is a null then the menu item was not found.

If the item was indeed found then I set the appropriate property for that menu item (depending on the privilege that I just read).

If you look closely at the code for mf_loadSecurity while reading the explanation you should be able to understand rather easily.

mf_findMenuItem
mf_findMenuItem is the recursive function. It calls itself from within itself. Recursion is not terribly complicatee but you have to remember to give yourself some way to unwind from the function otherwise you waste a lot of processing.

M_root.mf_findMenuItem(menu amenu, string as_name)

//Are we there yet?
if amenu.text = as_name then
return amenu // Yes, we are... let's go home
end if
// This wasn't a match, we have to look in the item array

long ll_row, ll_max
menu lmenu_return // the return value
setNull(lmenu_return) // default to null

// Loop through the item array

ll_max = upperBound(amenu.item)
for ll_row = 1 to ll_max
// Call myself for every element in the array

lmenu_return = mf_findMenuItem(amenu.item[ll_row], as_name)
if isNull(lmenu_return) then
// It was not a match, look in the next element
else
return lmenu_return // We got a match, time to unwind
end if
next

// No match in the entire item array, sorry about that.
return lmenu_return

The comments should make this fairly obvious but I'll walk you through it anyway.

We have two arguments. One is the menu that we would like to search. Remember, it has its own item array. First we check to see if this menu item is a match. If it is then we're done. If it's not then we have to search every element in the item array for a match.

That's basically all there is to it.

Insert Security Rows in the Database
Next we need to insert the two rows in the database that will let us have the effect we want. One row has to set the ‘Test 1' menu item to read-only and the other sets ‘Test 2' to invisible.

Rows for our security table

INSERT INTO "security" 
( "login_name",  
"application",  
"item_type",  
"item_name",  
"priviledge" ) 
VALUES ( 'dba',  
'security_test',  
'menu',  
'Test 1',  
'R' )  ;

INSERT INTO "security" 
( "login_name",  
"application",  
"item_type",  
"item_name",  
"priviledge" ) 
VALUES ( 'dba',  
'security_test',  
'menu',  
'Test 2',  
'I' )  ;

Implementing the Menu Security
Now we inherit a window from w_root and we give it the m_main menu. Then we go to the open event of w_root and put in the following code:

W_main.open

m_root lmenu
lmenu = this.menuid
lmenu.mf_loadsecurity("dba" , "security_test" )

This should be pretty self-explanatory. You might not be aware of what the second line means. The menuid property of any window is the menu object that is assigned to that window.

You might wonder why I would add this code to the open event and not the ue_postOpen. The answer lies in the functionality of the open even and ue_postOpen.

The open event happens before the drawing of the window. The ue_postOpen is posted in the ancestor window (w_root) and therefore happens after the window is drawn. In our case we don't want the window to be displayed until after the security happens so this is one of the very rare instances where we want code in the open as opposed to the postOpen events.

The Final Touch
Lastly we have to add the code for the Application open event to fire everything off.

Application open event

// Profile EAS Demo DB V115
SQLCA.DBMS = "ODBC"
SQLCA.AutoCommit = False
SQLCA.DBParm = "ConnectString='DSN=EAS Demo DB V115;UID=dba;PWD=sql'"
connect using sqlca;

open(w_main)

Of Course There Is Always More
If you think about the menu security you will soon realize that we don't allow for duplicate menu texts. Only the first match to a text will be found. We could change this by comparing the menu name rather than text. That would be something like m_root.m_file.m_new.Test1. That won't be a hard change if you want to do it yourself.

You could also use this metaphor to implement window level security. Using the same table then looping through the control array for the window in the open event looking for window controls that are in the security table for the user name and application. That should be simple enough for you now that you know how to do it.

NOTE: The code in this article uses my proprietary tools.pbl. You can reproduce it or you can write me asking for both the source of this article and the tools pbl as well. My e-mail address is at the bottom of the article.

Also, all the data for the application comes from the sample database that comes with PowerBuilder. That is the database that almost all of my readers have. I have had to expand the table though to support the needs of this article.

More Stories By Richard (Rik) Brooks

Rik Brooks has been programming in PowerBuilder since the final beta release before version 1. He has authored or co-authored five books on PowerBuilder including “The Definitive DataWindow”. Currently he lives in Mississippi and works in Memphis, Tennessee.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
One of the biggest challenges when developing connected devices is identifying user value and delivering it through successful user experiences. In his session at Internet of @ThingsExpo, Mike Kuniavsky, Principal Scientist, Innovation Services at PARC, described an IoT-specific approach to user experience design that combines approaches from interaction design, industrial design and service design to create experiences that go beyond simple connected gadgets to create lasting, multi-device experiences grounded in people's real needs and desires.
Enthusiasm for the Internet of Things has reached an all-time high. In 2013 alone, venture capitalists spent more than $1 billion dollars investing in the IoT space. With "smart" appliances and devices, IoT covers wearable smart devices, cloud services to hardware companies. Nest, a Google company, detects temperatures inside homes and automatically adjusts it by tracking its user's habit. These technologies are quickly developing and with it come challenges such as bridging infrastructure gaps, abiding by privacy concerns and making the concept a reality. These challenges can't be addressed w...
The Domain Name Service (DNS) is one of the most important components in networking infrastructure, enabling users and services to access applications by translating URLs (names) into IP addresses (numbers). Because every icon and URL and all embedded content on a website requires a DNS lookup loading complex sites necessitates hundreds of DNS queries. In addition, as more internet-enabled ‘Things' get connected, people will rely on DNS to name and find their fridges, toasters and toilets. According to a recent IDG Research Services Survey this rate of traffic will only grow. What's driving t...
Connected devices and the Internet of Things are getting significant momentum in 2014. In his session at Internet of @ThingsExpo, Jim Hunter, Chief Scientist & Technology Evangelist at Greenwave Systems, examined three key elements that together will drive mass adoption of the IoT before the end of 2015. The first element is the recent advent of robust open source protocols (like AllJoyn and WebRTC) that facilitate M2M communication. The second is broad availability of flexible, cost-effective storage designed to handle the massive surge in back-end data in a world where timely analytics is e...
Scott Jenson leads a project called The Physical Web within the Chrome team at Google. Project members are working to take the scalability and openness of the web and use it to talk to the exponentially exploding range of smart devices. Nearly every company today working on the IoT comes up with the same basic solution: use my server and you'll be fine. But if we really believe there will be trillions of these devices, that just can't scale. We need a system that is open a scalable and by using the URL as a basic building block, we open this up and get the same resilience that the web enjoys.
We are reaching the end of the beginning with WebRTC, and real systems using this technology have begun to appear. One challenge that faces every WebRTC deployment (in some form or another) is identity management. For example, if you have an existing service – possibly built on a variety of different PaaS/SaaS offerings – and you want to add real-time communications you are faced with a challenge relating to user management, authentication, authorization, and validation. Service providers will want to use their existing identities, but these will have credentials already that are (hopefully) i...
"Matrix is an ambitious open standard and implementation that's set up to break down the fragmentation problems that exist in IP messaging and VoIP communication," explained John Woolf, Technical Evangelist at Matrix, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happens, where data lives and where the interface lies. For instance, it's a mix of architectural styles ...
The Internet of Things will put IT to its ultimate test by creating infinite new opportunities to digitize products and services, generate and analyze new data to improve customer satisfaction, and discover new ways to gain a competitive advantage across nearly every industry. In order to help corporate business units to capitalize on the rapidly evolving IoT opportunities, IT must stand up to a new set of challenges. In his session at @ThingsExpo, Jeff Kaplan, Managing Director of THINKstrategies, will examine why IT must finally fulfill its role in support of its SBUs or face a new round of...
Cultural, regulatory, environmental, political and economic (CREPE) conditions over the past decade are creating cross-industry solution spaces that require processes and technologies from both the Internet of Things (IoT), and Data Management and Analytics (DMA). These solution spaces are evolving into Sensor Analytics Ecosystems (SAE) that represent significant new opportunities for organizations of all types. Public Utilities throughout the world, providing electricity, natural gas and water, are pursuing SmartGrid initiatives that represent one of the more mature examples of SAE. We have s...
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, discussed how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money!
P2P RTC will impact the landscape of communications, shifting from traditional telephony style communications models to OTT (Over-The-Top) cloud assisted & PaaS (Platform as a Service) communication services. The P2P shift will impact many areas of our lives, from mobile communication, human interactive web services, RTC and telephony infrastructure, user federation, security and privacy implications, business costs, and scalability. In his session at @ThingsExpo, Robin Raymond, Chief Architect at Hookflash, will walk through the shifting landscape of traditional telephone and voice services ...
The Internet of Things is tied together with a thin strand that is known as time. Coincidentally, at the core of nearly all data analytics is a timestamp. When working with time series data there are a few core principles that everyone should consider, especially across datasets where time is the common boundary. In his session at Internet of @ThingsExpo, Jim Scott, Director of Enterprise Strategy & Architecture at MapR Technologies, discussed single-value, geo-spatial, and log time series data. By focusing on enterprise applications and the data center, he will use OpenTSDB as an example t...
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at Internet of @ThingsExpo, James Kirkland, Chief Architect for the Internet of Things and Intelligent Systems at Red Hat, described how to revolutioniz...
Bit6 today issued a challenge to the technology community implementing Web Real Time Communication (WebRTC). To leap beyond WebRTC’s significant limitations and fully leverage its underlying value to accelerate innovation, application developers need to consider the entire communications ecosystem.
The definition of IoT is not new, in fact it’s been around for over a decade. What has changed is the public's awareness that the technology we use on a daily basis has caught up on the vision of an always on, always connected world. If you look into the details of what comprises the IoT, you’ll see that it includes everything from cloud computing, Big Data analytics, “Things,” Web communication, applications, network, storage, etc. It is essentially including everything connected online from hardware to software, or as we like to say, it’s an Internet of many different things. The difference ...
Cloud Expo 2014 TV commercials will feature @ThingsExpo, which was launched in June, 2014 at New York City's Javits Center as the largest 'Internet of Things' event in the world.
SYS-CON Events announced today that Windstream, a leading provider of advanced network and cloud communications, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Windstream (Nasdaq: WIN), a FORTUNE 500 and S&P 500 company, is a leading provider of advanced network communications, including cloud computing and managed services, to businesses nationwide. The company also offers broadband, phone and digital TV services to consumers primarily in rural areas.
"There is a natural synchronization between the business models, the IoT is there to support ,” explained Brendan O'Brien, Co-founder and Chief Architect of Aria Systems, in this SYS-CON.tv interview at the 15th International Cloud Expo®, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
The major cloud platforms defy a simple, side-by-side analysis. Each of the major IaaS public-cloud platforms offers their own unique strengths and functionality. Options for on-site private cloud are diverse as well, and must be designed and deployed while taking existing legacy architecture and infrastructure into account. Then the reality is that most enterprises are embarking on a hybrid cloud strategy and programs. In this Power Panel at 15th Cloud Expo (http://www.CloudComputingExpo.com), moderated by Ashar Baig, Research Director, Cloud, at Gigaom Research, Nate Gordon, Director of T...