SecWin - Capesoft

Posted September 1 1997

Printer-friendly version

SecWin is a feature-filled security package for Clarion for Windows. It comes in two flavors, a freeware 16 Bit version and a 32 Bit registered version - $99.00 US. The 16 Bit version is on your CW2003 CD, while the 32 Bit version can be ordered from any local TopSpeed dealer worldwide. It can also be purchased directly from Custom Business Software, contact Bruce@capesoft.com for more information.

Installation

Installation of SecWin was painless. I ran Setup and identified my current Clarion directory, then registered the SecWin templates.

Implementing

I initially tried to use SecWiz to implement SecWin. SecWiz (only included in 32 Bit registered version) is a Utility Template Wizard that is supposed to vastly reduce the time required to add basic SecWin security to an existing application. It automatically (optionally) performs the following functions:

• Adds a User Login Here extension template to the Main procedure.
• Adds a User Screen Security template to all your Browses, Forms and Windows. Insert, Change, Delete, OK and Print buttons are all added to the list of controls that can be limited individually.
• Adds calls to OperatorBrowse, ChangePassword, LockScreen and ChangeLogin to the main menu. These menu options can be moved (or removed) later if you wish.
• The only other step required to add basic SecWin security to your App, is to add the Global Extension Template "Activate Security".

When I tried to use SecWiz I received numerous compile errors. Because of the compilation errors I chose not to use SecWiz. Once I decided not to use SecWiz, implementing SecWin into my application was easy. SecWiz does warn you that you should backup your application before proceeding. I was able to add security without any problems by following the 16 Bit version's instructions.

I used the extension template: User Login Here to add the Login capabilities. This also required that I add a Global Extension Template - Activate SecWin features.

Activate SecWin features

The User Login Here template allows you to select the following options for Login:

• Case insensitive
• Make Login optional to end user
• Allow only 3 tries
• Enable international features
• Allow automatic Login from other EXEs
• Allow default Login values
• Don't show screen if default fails
• Force password change every 30 days
• Force long passwords (6 alpha + 3 number)

User Login template options

I only used the Case Insensitive and Allow Only 3 Tries options. Both of these worked quite well. While I know Case Sensitive is more secure, I find that end users HATE it, so I avoid it. While 6 alpha + 3 numbers makes for better security I would also like to see a minimum number of characters as an option. I like to use 4 or 5 characters minimum.

Other features controlled from the User Login Here Template are Licensing and Super User. I must admit that I didn't try the Licensing features, but they looked very interesting. Licensing allows the application developer to control access to screens, depending upon the licensing level of a user. Licensing has 5 levels; Demo, Lite, Standard, Professional and Enterprise. (The names can be changed which is a nice feature.) Another type of licensing included in SecWin is Network Licensing, which can be used to limit the number of copies being accessed at any one time. The Super User allows the developer to setup a permanent Supervisor (this is a new feature to Version 2.7 and I could not get it to work). While I know the Super User (backdoor) does have security ramifications, it makes supporting your application much simpler. Besides Super User is optional. These are great features that a lot of developers need.

Access Control

SecWin uses an Extension Template called User Screen Security to control Access to procedures and controls. The application developer uses this template to select which procedures and controls the Supervisor can grant or restrict to each user's access. This is achieved by placing the template at strategic places in the application and selecting the appropriate controls, allowing the Supervisor to grant and restrict access to users appropriately. Once I understood how to use the User Screen Security template, implementing security with SecWin was extremely easy. I especially liked how the Supervisor could use Usergroups to change access for the entire Usergroup. Also, I liked how the developer could attach multiple controls as one user-access control. This makes it easy for the Supervisor to select one user-access control and grant or restrict access in one step.

User update form

User Levels are:

Supervisor - 3 - This user has access to the security areas and to all the screens, allowing him to change security for others.

Operator - 2 - This user has access to the security area, but does not have access to the screen that allows the Supervisor to change security.

No Access - 0 - The user does not have access to the security area.

Workgroups - a method of restricting data visible to your users in a browse, on a group basis.

Two methods of using Workgroups are possible, depending on the application requirements:

1. You can use a number 0-32000. For example, if users belong to a single department, each department can have a unique number.
2. If users can belong to more than one group, each bit of the Workgroup can signify a number, restricting you to a maximum of 15 Workgroups.

Currently the Update User Screen is structured for a number (method 1) so multiple selections are difficult.

User Groups - allows you to easily change the User Levels of a Group, from Operator to No Access. Putting a user into a group is very simple. You go to the OperatorBrowse screen, click on a User, Click on Change and then select the group from the drop-down list. This feature greatly simplifies the Supervisor's administrative work. By using this feature it would be easy to administer large groups of users.

Flexibility

The SecWin interface has the flexibility to allow for different languages and titles for fields. This is using the Pro Domus CWIntl package. It uses an INI-type file to change the titles on Controls. The default is English. You could also use the numerous functions included in SecWin to write your own screen and make it match your interface.

Security

Security seemed good. I tried importing the DSSW2.TPS into a CW dictionary and could not. This is the file that contains the passwords. If a user deletes the DSSW2.TPS file, then none of the programs needing the security will run. The file would need to be restored from a backup or recreated by an authorized person. Additionally, security is provided with a PIN (Personal Identification Number); the developer can add a PIN to the application and then place the PIN into the DSSW2.TPS file. This way someone must have a DSSW2.TPS file with the correct PIN to process your application, giving the developer another level of Security.

If the supervisor leaves or forgets his/her password and you have not implemented the Super User feature, it could be difficult for someone to access a program using SecWin. This is exactly what you want in a security system, but it could cause some problems. Unless you need extreme security, I recommend using the Super User.

Administration

Administration was simple. It's easy for the Supervisor to grant both screen access and control access wherever the developer has set up the User Screen Security. I felt that the Workgroup feature could be better implemented. I would like to see an option to select multiple Workgroup Levels as part of the Operator/Browse. I would also like to see Usergroup have Workgroups as an option; the Usergroups seem very easy to implement, but would be more powerful if the Workgroup could be selected at the same time.

Reviewer Overall Impression

SecWin has a lot of features. In some ways it has more features than I expected in a security system. I was surprised to see the Run Counter, Network Licensing, Internationalism, the Btrieve version (for WANs), Application PIN numbers and other more advanced features. These are great features. I had problems with the SecWiz Wizard and I feel that it needs to be fixed (although you can Implement SecWin without SecWiz). I would also like to see the Usergroup and Workgroup features enhanced. I feel you should have the ability to select the Workgroup from the Usergroup. Also, I would like to see the Workgroup multiple selection feature as part of the Update Users form. Like all products, it can use some improvements. I would recommend that you try the Freeware 16 bit version before purchasing. If it works the way you expect a Security System to work, it is worth the spending the $99.00 for the 32 bit version.

Category	Product Score
Ability to do the task	Very Good
Ease of use	Very Good
Ease of Installation	Good
Documentation	Good
Technical Support	Not Tested
Modifies Shipping Templates	No
Black-Box DLLs/LIBs	Yes

Pros: Freeware 16 bit version. Lots of great features. Good value for your money.

Cons: Documentation and terms are not always easy to follow and understand, but security can be very complex and SecWin has a lot of features. Can improve on Usergroups and Workgroups as stated above.

* The reviewer did not contact Capesoft for technical support on SecWin. In conversation with other members of the review staff who use SecWin, it was the consensus that SecWin's Technical Support was excellent, deserving the awarded score of 10. This score does not, however, reflect the experience of the reviewer. - Publisher

Response from Bruce at CapeSoft

Jim detailed 3 problems with the template, 2 of which have been fixed and are available in the latest release. (currently version 2.75) The remaining problem with the wizard is well known. Unfortunately it is caused by a bug in the CW template language and thus is outside of my control. Hopefully this will have been fixed in the upcoming C4 release. In Jim's case it affected 2 out of 22 procedures. The affected procedures can be imported manually from the backup, and security added by hand. It was a hard decision to ship it like this, but I left the wizard in on the basis that it can still be of major benefit to the developer. As Jim mentions, the wizard is not required to successfully implement Secwin. As Jim mentions the Super User feature is new, and the documentation for it seems to be ambiguous. A couple of other Secwin users also had problems with this, which turned out to be caused by an inaccurate interpretation of the docs. I have altered the docs to make this area clearer. Like all users, it didn't take Jim long to come up with a personal wish list. While, like all developers, we can't guarantee that Jim's wishes will appear, we certainly note them with interest. Although Jim gracefully gave us a Technical Support score of 10/10, he did not make use of our tech support facilities during this review. This is disappointing as we do pride ourselves on giving good support - for example the problem with the Super User may have been a good test case here. Our thanks to Jim for giving us a fair review, and for highlighting areas in which we can strive to improve.

Article comments

Post a comment

You must be logged on to post comments.