Maybe the deciding factor is what are they going to see or have the ability to monkey with if they do open the form. Maybe an after the fact coaching is too late.
Something like HIPAA comes to mind. Maybe there is some form that users need to be able to use in workflow for lookups but if they can open the form to see groups of records they would normally have to access via a console that controls the number of records accessed (and possibly all records accessed from the console are logged for auditing). Once an unauthorized person has been able to see multiple records of PHI (Protected Health Information) the violation has occurred. Sure you can take action against the user but it is better to avoid the situation completely. Another example is the People form. Support staff and potentially all employees if using Authenticate Unregistered Users need access to the data on an single record basis. In the past I had a requirement that would not allow anybody except an administrator to query the People form directly or pull a report. The thought was that a list of employees could be created and sent (sold) to head hunters. Of course there are other ways of preventing or logging these situations. You could create a filter that fires on GET ENTRY to log what records are being accessed by whom. You could also create an Active Link that triggers an error or close window on Search. Unfortunately many times in the IT/security world building a better mouse trap is a fact of life. It is a constant cat and mouse game. Can Microsoft discipline all of the MS hackers (also potentially their customer) out there. No, they have to hopefully get it right the first time (let's not start any debates here) and continue to make changes as new holes are found. National security. sure we can execute anybody who does unthinkable things on our soil but isn't it better to try and prevent it. .. Ok I am done, I go back to work now. Jason From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Rick Cook Sent: Wednesday, November 28, 2007 3:15 PM To: [email protected] Subject: Re: mid tier lock down URL ** No, I guess you can't, but perhaps his/her supervisor can. I am serious in saying that while you may be tasked with providing a software wall to stop this action, the most efficient way to really stop it is by dealing with the people. If the customer doesn't care, then why would they ask you to prevent it? If they do care, perhaps they will see that there's a better way than lots of coding. Better mousetraps often just make smarter mouses, and then you still have the root of the problem in place after all that work. Rick On 11/28/07, Mahan, Janet L [EQ] <[EMAIL PROTECTED]> wrote: ** I can't crack my customer's across the knuckles! Seriously, does no one else think that is a security issue for any user to be able to overwrite the url and get to hidden forms? Janet Mahan Network Systems Administrator II EMBARQ Voice: 941-766-6199 | Wireless: 321-356-0128 | Fax: 941-766-6199 Email: [EMAIL PROTECTED] Voice | Data | Internet | Wireless | Entertainment _____ From: Action Request System discussion list(ARSList) [mailto:[email protected] ] On Behalf Of Rick Cook Sent: Wednesday, November 28, 2007 5:45 PM To: [email protected] Subject: Re: mid tier lock down URL ** Why, what could be simpler than a ruler across the knuckles, administered as necessary? ;-) Seriously, my preference would be to simply report this person for violation of whatever IT policy prohibits such actions. That's assuming that (s)he is causing some problem by doing so. Rick On 11/28/07, Mahan, Janet L [EQ] <[EMAIL PROTECTED] > wrote: ** Is there a simple way for someone that doesn't know a lot about creating/modifying web pages to keep users from changing the URL in the mid-tier and going directly to a form that they have hidden access to?????? Janet Mahan Network Systems Administrator II EMBARQ Voice: 941-766-6199 | Wireless: 321-356-0128 | Fax: 941-766-6199 Email: [EMAIL PROTECTED] Voice | Data | Internet | Wireless | Entertainment __20060125_______________________This posting was submitted with HTML in it___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
