RE: [U2] Need to partially hide a file
One approach would be to set up separate accounts for privileged vs. non-privileged users. That would give you two VOC files, and the paths to the data could be different for some or all of the files. Another approach is the following: In UniData this could be done by using environment variables, and assigning the variable with different values for some users than for others. For example: F @ENVVAR/PRIVATEFILE D_PRIVATEFILE User "A" (privileged) could have it set to C:\private. User "B" could have it set to "." I don't know how much trouble that is to set up for windows users though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Augusto Alonso Sent: Wednesday, November 28, 2007 1:46 PM To: u2-users@listserver.u2ug.org Subject: [U2] Need to partially hide a file Hi all. Can someone tell me if it is possible? I'll explain the scenario: We need to hide some private data (customer personal data) in order to fit with our Private Data Protection Law. But only for some users, the others, they need to have full access. Our app is complex enough to modify the source code. So, our ideal sollution would be making a "dynamic" File Entry VOC, that will look like this: For Non-privileged users: >CT VOC PRIVATEFILE PRIVATEFILE 0001 F 0002 PRIVATEFILE 0003 D_PRIVATEFILE And for privileged users: >CT VOC PRIVATEFILE PRIVATEFILE 0001 F 0002 C:\private\PRIVATEFILE 0003 D_PRIVATEFILE so that, the rights could be defined at O.S. level, and the app will allways open a file (the private one or the public one) The problem is that I can't figure out how can I do a VOC entry dependig on the particular user. Or even, if it is possible... TIA. Regards, Augusto Alonso [EMAIL PROTECTED] www.quiter.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Need to partially hide a file
Augusto, sort of along the same line of thinking as Dave ... play with the user's logon as soon as they login... Modify your LOGIN VOC item so that it: a) Checks a Data Security flag for that specific user [ @logname = Item ID in DSA.Flags file] b) Open the Cust.Secure.Data file to a named common in a short program if they have clearance c) If they don't have clearance Open the Cust.Skinny.Data file to the same file name in the named Common The named common will follow the user to whatever account they logto (if you log them around in the app or if they can Logto). Downside: You will have to modify the code where you are opening this file in the App, since it will already be opened. BTW - This approach should meet PCI compliance, and others, since you are making a positive grant of access based on the User logon (rather than role based or menu based security). I would check the language of the controlling standard - sometimes they hint at the approach they want you to take. HTH, -Baker from Dave Another approach is the following: In UniData this could be done by using environment variables, and assigning the variable with different values for some users than for others. For example: F @ENVVAR/PRIVATEFILE D_PRIVATEFILE User "A" (privileged) could have it set to C:\private. User "B" could have it set to "." I don't know how much trouble that is to set up for windows users though. Augusto: We need to hide some private data (customer personal data) in order to fit with our Private Data Protection Law. But only for some users, the others, they need to have full access. Our app is complex enough to modify the source code. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] Need to partially hide a file
Thanks Baker. Your suggestion is very wise, but the downside is too hard. In fact, The Dave's approach (@ENVVAR/PRIVATEFILE) would fit better for us, but... ...I've tested it, and it doesn't work at all in UniVerse (neither under windows nor under linux) I was thinking in a pointer-like sollution, so that the code remains unchanged. - Original Message - From: "Baker Hughes" <[EMAIL PROTECTED]> To: Sent: Wednesday, November 28, 2007 11:47 PM Subject: RE: [U2] Need to partially hide a file Augusto, sort of along the same line of thinking as Dave ... play with the user's logon as soon as they login... Modify your LOGIN VOC item so that it: a) Checks a Data Security flag for that specific user [ @logname = Item ID in DSA.Flags file] b) Open the Cust.Secure.Data file to a named common in a short program if they have clearance c) If they don't have clearance Open the Cust.Skinny.Data file to the same file name in the named Common The named common will follow the user to whatever account they logto (if you log them around in the app or if they can Logto). Downside: You will have to modify the code where you are opening this file in the App, since it will already be opened. BTW - This approach should meet PCI compliance, and others, since you are making a positive grant of access based on the User logon (rather than role based or menu based security). I would check the language of the controlling standard - sometimes they hint at the approach they want you to take. HTH, -Baker from Dave Another approach is the following: In UniData this could be done by using environment variables, and assigning the variable with different values for some users than for others. For example: F @ENVVAR/PRIVATEFILE D_PRIVATEFILE User "A" (privileged) could have it set to C:\private. User "B" could have it set to "." I don't know how much trouble that is to set up for windows users though. Augusto: We need to hide some private data (customer personal data) in order to fit with our Private Data Protection Law. But only for some users, the others, they need to have full access. Our app is complex enough to modify the source code. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] Need to partially hide a file
I'm not sure this would work, but what if you created the file as a distributed file with 2 parts: part1 = 'public' data, part2 = 'secure' data. Those without security clearance would open just part1 and those with security clearance would open the distributed file which would give them access to both part files. How you do that in coding shouldn't be too difficult especially if you use named commons, I think. This is kind of a hybrid approach I just thought of based on the other suggestions. Also, some of the law we have would require the two partfiles to reside on different disks... HTH, Karl > Thanks Baker. > Your suggestion is very wise, but the downside is too hard. > In fact, > The Dave's approach (@ENVVAR/PRIVATEFILE) would fit better for us, but... > > ...I've tested it, and it doesn't work at all in UniVerse (neither under > windows nor under linux) > I was thinking in a pointer-like sollution, so that the code remains > unchanged. > > - Original Message - > From: "Baker Hughes" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, November 28, 2007 11:47 PM > Subject: RE: [U2] Need to partially hide a file > > >> Augusto, >> >> sort of along the same line of thinking as Dave ... play with the user's >> logon as soon as they login... >> >> Modify your LOGIN VOC item so that it: >> a) Checks a Data Security flag for that specific user [ @logname = Item >> ID in DSA.Flags file] >> b) Open the Cust.Secure.Data file to a named common in a short program >> if they have clearance >> c) If they don't have clearance Open the Cust.Skinny.Data file to the >> same file name in the named Common >> >> The named common will follow the user to whatever account they logto (if >> you log them around in the app or if they can Logto). >> >> Downside: You will have to modify the code where you are opening this >> file in the App, since it will already be opened. >> >> BTW - This approach should meet PCI compliance, and others, since you >> are making a positive grant of access based on the User logon (rather >> than role based or menu based security). I would check the language of >> the controlling standard - sometimes they hint at the approach they want >> you to take. >> >> HTH, >> -Baker >> >> from Dave >> Another approach is the following: >> >> In UniData this could be done by using environment variables, and >> assigning the variable with different values for some users than for >> others. For example: >> >> F >> @ENVVAR/PRIVATEFILE >> D_PRIVATEFILE >> >> User "A" (privileged) could have it set to C:\private. User "B" could >> have it set to "." >> >> I don't know how much trouble that is to set up for windows users >> though. >> >> >> Augusto: >> We need to hide some private data (customer personal data) in order to >> fit with our Private Data Protection Law. >> But only for some users, the others, they need to have full access. >> Our app is complex enough to modify the source code. >> >> --- >> u2-users mailing list >> u2-users@listserver.u2ug.org >> To unsubscribe please visit http://listserver.u2ug.org/ > --- > u2-users mailing list > u2-users@listserver.u2ug.org > To unsubscribe please visit http://listserver.u2ug.org/ > -- Karl Pearson Director of I.T. ATS Industrial Supply, Inc. [EMAIL PROTECTED] http://www.atsindustrial.com 800-789-9300 x29 Local: 801-978-4429 Fax: 801-972-3888 "To mess up your Linux PC, you have to really work at it; to mess up a microsoft PC you just have to work on it." --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: [U2] Need to partially hide a file
--- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Need to partially hide a file
Would a trigger on the data file work? For non privlaged users modify the data to "" after a read then on write and update you could replenish the hidden data before actually doing the write. It would be quite a bit more programming work than just a simple permissions change but you could assign security and apply the trigger program without changing any of your current programming. Just a thought for you to kick around and it should work in both Windows and Unix environments. You should be able to do this in all the U2 product line, too, I believe. BobW -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Bennett Sent: Wednesday, November 28, 2007 5:07 PM To: u2-users@listserver.u2ug.org Subject: Re: [U2] Need to partially hide a file Augusto, when you say hidden, how hidden do you mean? >>> We need to hide some private data (customer personal data) in order to >>> fit with our Private Data Protection Law. >>> But only for some users, the others, they need to have full access. >>> Our app is complex enough to modify the source code. >>> I would consider using operating system permissions on the files to allow read (and write) access based on group. Only your privileged users go in the read/write group for the file. You will still need to modify your application (or your other users will get errors when they try to open these files) but doing it at the operating system level is a good failsafe design -- if your application incorrectly attempts to allow access to the file, the operating system will prevent this and cause an error in UV. This is a simple and easily auditable security model. You may still want to encrypt the files -- to prevent access outside of the application -- but that is a separate issue. Craig --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Need to partially hide a file
Augusto, Can you change your application to use OPENPATH rather than OPEN. This does not require a VOC entry just a path. Cheers, Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Augusto Alonso Sent: 28 November 2007 18:46 To: u2-users@listserver.u2ug.org Subject: [U2] Need to partially hide a file Hi all. Can someone tell me if it is possible? I'll explain the scenario: We need to hide some private data (customer personal data) in order to fit with our Private Data Protection Law. But only for some users, the others, they need to have full access. Our app is complex enough to modify the source code. So, our ideal sollution would be making a "dynamic" File Entry VOC, that will look like this: For Non-privileged users: >CT VOC PRIVATEFILE PRIVATEFILE 0001 F 0002 PRIVATEFILE 0003 D_PRIVATEFILE And for privileged users: >CT VOC PRIVATEFILE PRIVATEFILE 0001 F 0002 C:\private\PRIVATEFILE 0003 D_PRIVATEFILE so that, the rights could be defined at O.S. level, and the app will allways open a file (the private one or the public one) The problem is that I can't figure out how can I do a VOC entry dependig on the particular user. Or even, if it is possible... TIA. Regards, Augusto Alonso [EMAIL PROTECTED] www.quiter.com --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ - * The contents of this e-mail are subject to contract in all cases and William Hill PLC, its subsidiaries or affiliates make no contractual commitment save where confirmed by hard copy. The contents of this e-mail do not necessarily represent the views of William Hill PLC, its subsidiaries or affiliates. We accept no liability, including liability for negligence, in respect of any statement in this e-mail. This e-mail and any files transmitted with it are confidential, may be subject to legal privilege and intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient, you are hereby notified that any use or dissemination of this communication is strictly prohibited. If you have received this e-mail in error, please notify us immediately, then delete this e-mail. Please note that William Hill can accept no responsibility for viruses and it is your responsibility to scan any emails and their attachments. This message was from William Hill PLC whose registered office is Greenside House, 50 Station Road, Wood Green, London N22 7TP. Company Registration Number: 4212563 England. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Need to partially hide a file
If you were to convert the file into an SQL table, then you can grant SELECT privilege (or not) at the individual column level. And/or you can restrict the table entirely to a single SQL user (at least in UniVerse) and only access it via programs compiled with the AUTHORIZATION statement. My $0.02 worth. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Need to partially hide a file
Look seriously at both Ray's SQL solution and Mark's Data-At-Rest-Encryption. The latter is a UV 10.2 enhancement. -Original Message- From: Ray Wurlod Sent: Thursday, November 29, 2007 1:59 PM If you were to convert the file into an SQL table, then you can grant SELECT privilege (or not) at the individual column level. And/or you can restrict the table entirely to a single SQL user (at least in UniVerse) and only access it via programs compiled with the AUTHORIZATION statement. My $0.02 worth. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Need to partially hide a file [not-secure]
Can someone tell me if it is possible? I'll explain the scenario: We need to hide some private data (customer personal data) in order to fit with our Private Data Protection Law. But only for some users, the others, they need to have full access. Our app is complex enough to modify the source code. So, our ideal sollution would be making a "dynamic" File Entry VOC, that will look like this: Augusto - I'd look into data encryption at rest. It allows you to encrypt specific fields in a file. You would assign a password to the key - users who have the password can see the data. You have to be on a later release of UV or UD. Also, you can not encrypt a field that is indexed. Alternatively it may be easier to simply not show the data to users who shouldn't see it. It will depend on your application environment, etc. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
