Super Security - BoxSoft Development

Posted September 1 1997

Printer-friendly version

SuperSecurity is a solid, feature-rich security add-on for Clarion for Windows. It is available for $99 USD from Mitten Software. Contact information for Mitten Software can be found at the end of this article.

Installation

Installing SuperSecurity is straightforward. BoxSoft's standard install for its "Super" products puts the templates in a directory called "SUPER" under your CW directory. Other related files, such as docs, go into directories under "SUPER".

SuperSecurity comes with documentation, SECURITY.PDF in the \CW20\SUPER\DOC directory. The docs are nice, complete with a cover page, table of contents, and page numbers throughout. They are perfect for 3-hole punching and slipping into a binder.

The docs are fairly good on installation, but they assume you know the name, location and how to update your CW redirection file. This might be a problem for CW newbies.

Implementing SuperSecurity - which approach?

SuperSecurity offers two approaches to security. The first approach is called "Levels", the other is "Doors". The docs describe these two approaches, and while the descriptions are detailed, I had trouble understanding the "Levels" explanation until I saw a graphic representation of it on SuperSecurity's Global properties window.

"Levels" Approach

Levels hierarchy illustration from templates

With the "Levels" approach, each new level includes everything in the previous one, then adds more abilities. So the highest level will have access to everything, and each level under it will have access to less and less. (Think of it as a Russian dolls approach to security.) Levels are numbered, starting with 1 as the most restricted, and each subsequent level getting a larger number. Levels would be used in a straightforward system where your users' responsibilities fit into this layered paradigm.

"Doors" Approach

Doors illustration from templates

With the "Doors" approach to security, you (optionally) assign each procedure or control a certain security "door". You then assign users access to any doors they require. Multiple procedures/controls can be assigned to the same security door, or each procedure or control can have a different door, if that's what you need. (You, the programmer, create and define all the doors.)

The big plus to the Doors approach is flexibility - you can set up any sort of security in your app that you like, and restrict or allow any users access to any doors. The down side of the Doors approach is flexibility - it's so flexible that you can create a monster if you're not careful. You need to sit down and really think through exactly how to group your procedures/controls for sharing common doors.

Implementing SuperSecurity in the App

Global Extension template offers many options

SuperSecurity requires the SuperSecurity Global Extension template. Adding the Global Extension template is very easy - but then you'll be presented with many choices:

• Use "Levels" or "Doors"
• Location of library (internal or external)
• Initialize tagging system with UserNo_ (for use with QBE or SuperTagging)
• Use SuperSecurity's standard Login window (alternative: write your own)
• I recommend SuperSecurity's standard login window. It's easy on the eyes, and already done.
• Login at program startup (or when security is first required)
• Maximum incorrect tries allowed** (default is 3; zero will allow unlimited retries)
• "... before the program automatically exits. This is merely a nuisance feature, as (the user) can restart the program to try again."
• Allow user to change password during logon
• Modify messages/text on Change Password window
• Modify title & messages/text on standard login window
• Embedded code before & after login
• Check for previous login when one program runs another
• Record login in Audit Log - record Failed Attempts & Backdoor Logins
• Backdoor user name (default provided, can be changed)
• Password encryption mask
• Location of SuperSecurity file definitions: Dictionary, Security Library, or External
• File names, file driver used & owner ID (when applicable) for SuperSecurity files
• Allow Manager Override (Always, Never, Use Local Setting) & Durations
• Modify messages/text on Manager Override request window
• Beep when Access Denied
• Change Message Window title and/or text/messages

As you can see, options offered in the Global Extension give you a large amount of flexibility regarding how SuperSecurity will appear and behave in your app. The docs and online help give explanations for each option.

Implementing SuperSecurity in procedures - templates for everything

It is not difficult to implement the SuperSecurity templates in your procedures, although it can be tedious. The templates have a generally easy-to-follow interface, and online help is available if you should happen to get stumped. There are quite a few SuperSecurity templates, and they appear to cover most security situations.

When implementing the Doors approach, you will need a list of your Door equates. No report for this is provided in the DoorEdit app - I wrote my own. If you don't have too many doors, it might be easier to just hand-write your list of the equate names.

• Procedure Security Restrict security to the entire procedure. The procedure effectively will not be run unless the user has the appropriate security.
• BrowseBox Update Security Restrict updates in a browse box. Everyone can look, but only authorized users can update. The Insert/Change/Delete buttons are disabled or hidden - your choice - and the hot keys and keyboard keys don't work, either.
• Form Update Security This is similar to BrowseBox Update Security, but allows lots more flexibility. You can restrict or allow just inserts, changes, and/or deletes. If you restrict access to all three, then it's the same as procedure security - the window will never be opened without the appropriate security.
• Protect Controls on a Window You can hide or disable any controls, or range of controls, on any window - browse, form, or other, even items in a menu.
• Protect Controls on a Report This allows you to hide fields on a report based on the user's security.
• Run a Program with "Check for Previous Logon" This is cool, if you need it - you can RUN a program with this code template and pass the called program user information, so your user won't have to login with each new EXE.
• Conditional Code A code template that you can use to optionally do/display things in your program, based on the user's clearance. Great for optionally displaying fields in a browse.
• Audit Access code template and Procedure Audit extension template, not currently available but coming in the C4 release.

These templates allowed me to do everything required by the review requirements when it came to implementing security in the app (and then some).

Access Control

SuperSecurity allows you to limit access to everything from a single control on a window (hide or disable it) to entire procedures. You can hide fields in a browse box and in a report. You can allow/restrict all updates to a file, or selectively allow inserts, changes or deletes. You can disable menu items.

With the "Manager Override" option, you can selectively allow any user access to things normally restricted. The Manager Override option is set in your global template, and you can set its use for "Always", "Never", or "Use Local Setting".

The Manager Override duration can be set to either "One-time" or "Permanent". Permanent would be for the rest of the session (not a great idea because that would give the user access to EVERYTHING). The One-time override duration lasts only for THAT procedure - which can be good or bad. If you want to allow a user to update a file that would normally be restricted to them, then you might need to enter the manager override twice, on the browse AND the form, depending on how you have it set up.

Flexibility

The SuperSecurity package appears to offer the flexibility needed to handle most situations. The templates provide many options, allowing you to specify their behavior and, in some cases, their appearance.

You can use the login window provided, or write your own. There are three other standard windows: Enter New Password, Security Message (Access Denied) and Manager Override. The first two allow you to change the window title; the Manager Override does not. All three standard windows allow you to change the standard message text, but not the button text.

SuperSecurity also provides you with security functions you call from your source code, for adding even more functionality.

Since the UserEdit app, DoorEdit app and dictionary are provided, you can modify them any way you like, and add any functionality you desire. (I've added a few reports to them.) You can even import their procedures into your app. UserEdit, DoorEdit and the examples apps serve as excellent teaching tools for how to use SuperSecurity.

Security

When I tried, I couldn't find a way to get around the security provided. Deleting the security files didn't help. Since the user data file is encrypted with a programmer-defined encryption mask, it would take a sincere hacker to decode the file.

If the security administrator forgets his/her password, then it's time for the backdoor. The templates suggest a default backdoor value, which the programmer can change. Someone with CW and access to the *.APP file could find the backdoor name, if they knew how.

Event logging is not available in the current version, but may be available in the next one. A new version of the SuperSecurity templates has been promised for the next version of Clarion (C4).

Administration

Either the Levels or Doors approach is fairly easy for the user to administer, but the Doors approach can be tricky. It requires a little more time and effort, which should be no surprise - it's so much more flexible and capable than Levels. With Doors, the programmer must assign accurate, obvious descriptions in DoorEdit, or the user may have problems with security administration. This is not documented.

A drawback to both Levels and Doors is that individual users' security must be assigned one user at a time. The "group" approach, where you can assign individuals to a group, then assign security for the whole group, is not supported at this time. This feature has been promised for the next version of SuperSecurity.

Asigning rights for Doors to a user

While SuperSecurity provides some reports for administration, they are not as "pretty" or complete as they could be. The reports provided are Users by Number, Users by Name and Users by Door. There are a few reports that could be helpful which are not provided, especially a Doors by User, which would list Users with their related doors underneath each user name. And it would be nice to have the option to print passwords on the user reports, to print door equates on the door reports, and perhaps not print headings for fields that are unused.

No drawback here is fatal, though. Since you get the APP and DCT files, you can make any changes you'd like to the security administration apps, procedures or reports.

Documentation

The documentation is good, but there is room for improvement. Up through the global extensions template, it's very good (other than the "Levels" explanation), and offers step-by-step instructions. For the rest of the process, it is strictly a reference manual, with no clues about what you or the user should do next. However, between the manual and the examples, most programmers should be able to figure it out.

Support

Technical support for the "Super" line of templates is very good. Mitten Software, the distributor, has regular office hours and someone usually answers the phone. You can leave a message when no one answers, and they are usually prompt to return calls. Email to Mitten or to Mike Hanson (the template author), or a CompuServe message to Mike, usually produces a helpful reply within a day, sometimes within hours. The templates come with 90-day money-back guarantee.

Reviewer Overall Impression

SuperSecurity provides a solid, extremely flexible security system that is fairly easy to implement and administer, and does the job of security quite well. The templates themselves are very straightforward and easy to understand, and they give you many options. The whole system is open - no "black box" DLLs, etc., so it's easy to see what's going on, and to modify whatever you may need.

SuperSecurity has many features - plenty for most people - and with the promised addition of user grouping and audit trail support in the next version, it will be great. The documentation could use some work, but tech support is very good. It's an excellent deal for $99, well worth every cent.

Category	Product Score
Ability to do the task	Very Good
Ease of use	Very Good
Ease of Installation	Very Good
Documentation	Very Good
Technical Support	Excellent
Modifies Shipping Templates	No
Black-Box DLLs/LIBs	No

SuperSecurity is available for $99 USD from Mitten Software.

Mitten Software
10709 Wayzata Blvd
Minnetonka, MN 55305
USA

Email: mitten@mittensoftware.com
Phone: 800-825-5461 or 612-593-5019.

Response from Mike Hanson at BoxSoft Development

As the reviewer mentioned, we are working on a new version of SuperSecurity. It will include user groups, audit trails, improved documentation, Clarion 4 compatibility, plus the ability for the user administrator to modify their security configuration (i.e.: the levels or doors within the program). The new version addresses the issues discussed in this review, as well as many others. SuperSecurity 2 is scheduled for release in September.

Article comments

Post a comment

You must be logged on to post comments.