Report restricition

0

Hi Jan,
I'm assuming that requests you mention, are some kind of form/element/document in WEBCON.

If you want to create a report, which shows Requests Created By User - you could use Additional Filter for system field Created By set to <Me>.

This filter although will be possible to remove by end users, but if it should only restrict the view on reports (not access to the documents), then this shouldn't be a problem i guess?

Yes exactly I am talking about forms, however your solution won't work, because the forms that are stored in the reports are sensitive date and from my test I can see users can clear filters and see other forms.

For you better understanding of my application:

- the application is for new employees hiring process
- managers send requests for potential new positions, which is forwarded to appropriate board members
- I want managers to have access to their forms, for example to see on what step is their request. But I don't want managers to see requests from other managers.


Is it possible to block filtering in reports. Your solution would be usable.

Thank you for help, much appreciated

I'd say you shouldn't focus on restricting view on reports then, because hiding it on report is just security by obscurity.
https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html

Hiding the url is not restricting access. They still will be able to display that form just by changing ID of element in the url, or if someone accidentally forwards email with link.

What you want to achieve is the default behaviour of WEBCON I'd say.
When user have only privileges to `Launch new workflow instances`, then they will see only those elements, which were created by them, and nothing more, unless they will have a task assigned (assigning a task gives privileges for modification).

Did you set any higher privileges in the process or form/workflow for those managers? If not, then they shouldn't have access to everything.

You might look at those:
https://community.webcon.com/posts/post/webcon-bps-designer-studio-privileges/44
https://docs.webcon.com/docs/2023R3/Studio/Application/Application_Security

Yes exactly I am talking about forms, however your solution won't work, because the forms that are stored in the reports are sensitive date and from my test I can see users can clear filters and see other forms.

For you better understanding of my application:

- the application is for new employees hiring process
- managers send requests for potential new positions, which is forwarded to appropriate board members
- I want managers to have access to their forms, for example to see on what step is their request. But I don't want managers to see requests from other managers.


Is it possible to block filtering in reports. Your solution would be usable.

Thank you for help, much appreciated

Hi,

even so Maks already answered the question and I agree with him, that it should be done on the security level I have on other comment regarding filtering.


If you want to have a fixed filter you can add this as an SQL filter.

https://docs.webcon.com/docs/2023R3/Studio/Application/Presentation/AppReportsOverview/module_2_4_5_2_2_1_1#8-sqlsolr-filter

In this case it would be:
and WFD_CreatedBy like trim('##currentloginname## ' )+'#%'

Edit:
The placeholder/variable currentloginname (still) adds a space character in between the '' therefore we need the trim.

Best regards,
Daniel