retrofitting application security

I'm currently involved in developing a Forms 4.5 based application.

The application is largely finished and is now in use, however one of the enhancements that the users have requested is that security should be enforced on a certain type of companies (the app. manages companies/employees etc.) such that only privileged users can update these company records or any of the records associated with these companies.

What this boils down to is that I need to prevent non-privileged users from updating the database
through any of the forms in the project when the form contains data related to these companies.

The situation is complicated by the fact that some of the forms update the database directly
through SQL statements in the code.

Approaches which I've considered include:

• Alter/create database insert/update/delete triggers on all affected tables to check the users role and generate a user error when non-privileged users attempt to update records associated with the restricted company type this error would be caught in a form level On- Error trigger and the users notified. Blocks in the form which already have an On-Error trigger would have the execution style set to AFTER.
• Create generic When-New-Block-Instance and Post-Query triggers which check the users role and the class of the current company. These would be added at form level and would disable update/delete/insert on all blocks in the form when restricted companies is in use. In addition to this I would have to alter/create the form level pre-commit trigger to catch any changes made directly through SQL.

Does anyone have any ideas for a better/simpler approach?

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own Received on Fri Jan 08 1999 - 05:14:31 CST