Archive for October, 2011

Sage SalesLogix Mobile Web app – hiding information from users

While in the process of developing an Asset Management application of the new SalesLogix Mobile web app, I ran into an interesting problem… users that should not see “everything” were seeing things they should not.

Specifically, when a user clicked on “Assets” he/she was getting the assets from EVERY Account in the system whether or not he/she had (security) access to that account. This was not good. The problem was traced very quickly to the AccountProduct (a one to many) table not having a SECCODEID (owner) field.

Short lesson: The SECCODEID field is the key to “row level” security in the SalesLogix Data Base. If it is there and has a value, the “system” automatically checks security against the current logged in user (except ADMIN) to see if he/she should have access. If not, the record is NOT returned, if ok then the record is returned.

What is important to point out is that the Account table/entity DOES have a SECCODEID. By adding:
Account/AccountName  to my querySelect
and adding:
queryWhere: ‘Account ne null’
the problem was solved. Account/AccountName in the querySelect forces the system to see the relationship between AccountProduct and Account so the Account SECCODEID “takes over”. Unfortunately I needed to handle a defect this uncovered in SData and add the queryWhere to make sure the records that “failed to pass security” did not cause a problem back in the mobile app. NOTE: Even if there was no error – it was good design/implementation practice to do so anyway.

Advertisements

Leave a comment