DAS_Security - Tinman Development Corporation

Posted September 1 1997

Printer-friendly version

DAS Security is a full-featured security template for Clarion for Windows. It comes in a few configurations, but the Developer's Edition is the one tested in this review.

Security should be a four-letter word - "Work". It has always meant a lot of hand coding and endless testing. When everything was completed, a new form or report was added that required a totally different set of access rights. Many programming hours are dedicated to protecting a company's vital information from unauthorized access. LAN Administrators also spend countless hours trying to keep up with the many levels of security needed in today's computer systems. The DAS Security Templates from Tinman Development Corp. provide a solution to both parts of the problem by supplying a central security database along with an easy-to-use Security administration application.

Installation

After I unzipped the files the DAS Security Template installed without a hitch by registering the .tpl files dassecure.tpl and tintools.tpl. I then set about reading the help files for both the Security Administration program and the Security Templates, the only documentation provided. The help files for the templates are laid out in a logical order needed to guide the developer through adding security to multiple applications. Although the documentation is rather sparse it provided me with enough information to get started. I would recommend that the developer read through this document before adding security to an application. Security control is complicated and the DAS Templates take a standard group/user approach (i.e. Novell, NT) in dealing with its complexity.

The Security Administration help file is not laid out as well and seems to be geared toward being included in the developer's application help files. Source code and screen shots are provided for inclusion.

Implementation

Before an application will work correctly with the DAS Security Template, five steps must be taken.

1. The Security.exe, Security.sec, Security.hlp, and *.ico should be copied to your application directory. Run Security /Screate to create a new security database in the application directory.
2. Load your application into Clarion and then run the DAS-SecWizard to add the DAS-GlobalSecurity and extension templates to all procedure types selected. Alternately, if security is needed on only a few procedures, add the DAS-GlobalSecurity template manually and the extension templates as needed
3. Run the DAS-SecExport template utility to produce the security resource list that will be imported into the Security database created in step 1.
4. Run Security.exe and Import your applications.sec file created in the previous step.
5. Create Users & Groups and use the Security application to administer their access rights.

I manually added the SEC-GlobalSecurity because I only needed security on a few procedures in the Personel.app.

Global Security options

The DAS-GlobalSecurity template allows you to select the following global options for your application:

• Default and Override options for Screen, Audits, Messages and Fonts. These options let you globally customize the screens, messages and fonts generated by the extension templates that you apply to your procedures.
• Backdoor access & Hotkey control. Backdoor access creates a User ID and password that is hard coded into your program and doesn't show up in the security database. Hotkeys include Developer, Screen Lock, and Password Change.
• File options. File options control the security file type (I couldn't change it from TopSpeed) and the file location.
• Setup Code before and after login.

The next step in our little project was to set up the application so that access could be limited in certain areas. This was as easy as adding an extension template for each type of procedure. The DAS-SecurityProcedure screen is displayed below:

Procedure Security Options

Since this procedure required restrictions at the control level, I chose the Auto Build Control Properties option. This creates the resource list of controls that gets exported to the Security application. (I could have manually inserted individual controls using the Enhanced Control/Property option.) The Reports just needed to be controlled at the procedure level and only the Procedure Security level of access was needed. By using the DAS-SecurityReport template, even reports can be restricted at the control level. The rest of the magic occurs in the well-designed security database. I must mention that your control name descriptions are exported into this database and the Clarion defaults aren't very descriptive (i.e. ?Button1 with no description). If your users are going to control access to your application, care should be taken in the naming conventions on these controls.

Access Control

The DAS security database may contain multiple applications and application resources along with group and user access rights. The combination of all these elements plus time limits provides finite control of an application down to the individual component level. The security database is designed to be used by your end users and the application may be customized in the Developer's Version reviewed here. Additionally, Audits may be performed on different activities as well as a live view of who's logged into your registered applications. Password Protection is also well controlled with many different options available.

The Security application confused me at first in the way it granted access to different application, groups and users. I'm used to a hierarchical view of such relationships; e.g., Novell's NwAdmin. This interface would benefit greatly from using a Tree type browse box. The Security.app and the dictionary file are included so this is indeed possible. Once I got used to the way things worked, I must admit it took little time to change the access rights for the Manager and Clerks groups. I even limited certain individuals to specific times and adjusted my Windows clock to test the results. In order to use some of these more advanced features you must activate them from the File|Global Security Options menu.

Below is a listing of users assigned to the Clerks group as you can see it's a little confusing in that users show up that aren't in the group. When you first start they don't have any check marks next to them and I expected to see a filtered list.

Clerks Group Administration

The Applications Resource for Mangers Screen below demonstrates how the imported resources are displayed within the Security application. Lock icons indicate that that groups or users don't have rights to that particular procedure or resource. In the program this resource may be hidden, disabled, read only, skipped or destroyed.

Application Resources

Another point to mention is that every time you change your application's control names or procedures that are involved in security, it is a good idea to export and import a new .sec file. The program allows you to merge the old with the new and continue on your merry way.

Flexibility

The options within the DAS Security Templates are phenomenal and are sometimes overwhelming. The documentation warns not to be too scared by it, but novices may run screaming away anyway. My best advice would be to implement only the basics and see how your users react to it. Too much security can drive them all crazy and produce an onslaught of irate phone calls and e-mail.

Security

I could browse the security database with the owner key that was created when the security database was built. It is doubtful that a developer would distribute this information to end users. A nice feature included is the Developer Hotkey which, when you log in to an application, hides your Backdoor ID to prying eyes. I could also get into the Security Application using its Backdoor ID. This could be a potential problem and I suggest recompiling the application with a new ID.

Administration

Administration was easy once I got used to the Security Application's interface. Various reports are available to keep track of group and users' access rights along with system- audited events. Due to the depth of options these reports would prove invaluable in a large system. I think I just scratched the surface in what was possible with the Security Application. The group/user approach to Network Management is mirrored within the DAS Security Templates and this makes it easy for a LAN Admin to manage the DAS security database.

Documentation

If there is a dark side to this product, this is definitely it. The help files are rather basic and a manual would be a nice addition. The help files are also full of grammatical and spelling errors that, in today's world of spelling and grammar checkers, shows a lack of attention to detail. Luckily, the product is well designed and follows its basic design through all the templates.

Reviewer Overall Impression

I wish I had had a copy of this product five years ago; it would have saved me many sleepless nights. I like the design methodology and they way it fits in with today's network computer system. The product didn't cause any errors or stop the application from compiling even once. It's also great that the security isn't hard coded into the program, and that most of the options are contained within the DAS security database. The DAS Security Templates may be used in small, simple systems, but it is indeed scalable to large, complex systems. What was really, really nice was not a single line of code was written. The reason I use Clarion is to cut down on those unmanageable snippets of code that infest other development products.

Category	Product Score
Ability to do the task	Excellent
Ease of use	Very Good
Ease of Installation	Very Good
Documentation	Poor
Technical Support	Not Tested
Modifies Shipping Templates	No
Black-Box DLLs/LIBs	Yes

Pros: No Coding, No Errors, Standard Group/User Security model, Scalable and very flexible.

Cons: Higher price than most Security packages but well worth the investment. Documentation could use some help.

DAS_Security is available for $199, from Tinman Development Corp:

Tinman Development Corp
P.O. Box 48823
Wichita, KS 67201-8823

Email tinman@southwind.net
Phone: 1-316-942-6866

Article comments

Post a comment

You must be logged on to post comments.