Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Ken Murphy
  Where is Ken Murphy?
 Ken Murphy
 To: Boudewijn Lutgerink
  Where is Boudewijn Lutgerink?
 Hoonaardstraat, Driel
 Boudewijn Lutgerink
Subject: RE: user rights and AD
Thread ID: 112224 Message ID: 112243 # Views: 1 # Ratings: 0
Version: Not Applicable Category: Projects and Design
Date: Monday, November 06, 2006 3:42:02 PM         

> > ... To do this, you need to break your app down into a series of smaller .EXE's. For example, if you were working on an accounting app, you would make the AP module into an EXE, the AR module into an EXE, the Payroll module into an EXE, etc...
> The login is a nobrainer now, however this approach is not really my cuppa tea. I use one project where I have a table with encrypted usernames and user rights.
> based on that, through GenMenuX, my menu is created, ommiting the things the user is not allowed to use and opening the things s/he may use.
> That way I have one project to maintain instead of a whole lot of apps.
> Boudewijn LutgeĀ®ink
> The attitude of "An eye for an eye and a tooth for a tooth" will make this world toothless and blind (Ghandi)


I understand where you are coming from. I used to do it that way myself, but I didn't use GenMenuX - I just disabled certain menu items based on permissions. The downside of this approach is that you need to modify the menu each time you add a module. Beyond that, you need to maintain an encrypted table of user rights. With the AD approach, the only thing you need is Active Directory. The SysAdmin is responsible for maintaining permissions, using the tool that s/he is normally uses - AD. With your approach, you have to provide the SysAdmin with a user rights maintenance procedure outside of AD.

If you still wish to do this using GenMenuX, you could query AD to see if the user belongs to a specific user group, but that gets a lot more complex. What happens when the SysAdmin changes the name of a usergroup? You also need to run the query from a profile that has admin rights or your AD query will not work. This will mean using a stored procedure running on another profile.

Maintaining a series of projects is not all that difficult. In fact, each project becomes considerably smaller and it is much simpler to find things in those smaller projects. For example, in some of my projects I only have one or two forms. The only problem you run into is when you modify a class that is used in several projects - you need to test and recompile each project. This isn't really that much of a problem though. You have to do the testing anyway - one project or six. If you change something in a class used by several forms, you have to look at each of those forms. Recompiling isn't that difficult either. I have a .PRG that contains a series of BUILD EXE commands to do this for me (that way, I do not forget to compile something.)

You shall know the truth - and the truth shall set you free. (John 8:33)


user rights and AD Posted by Boudewijn Lutgerink @ 11/6/2006 1:01:01 PM
RE: user rights and AD Posted by Ken Murphy @ 11/6/2006 1:54:20 PM
RE: user rights and AD Posted by Boudewijn Lutgerink @ 11/6/2006 3:25:37 PM
RE: user rights and AD Posted by Ken Murphy @ 11/6/2006 3:42:02 PM