Dynamic Permissions
Document Generation
Event Viewer
Visual Guard Authentication
Visual Guard Groups
Visual Guard Server
Check Security Actions
Managing Identity Federation With Visual Guard
Deploying The Visual Guard Repository
Final Thoughts
In my previous article, Securing Your Application With Visual Guard – Part 1, we were introduced to some basic features of this fantastic product. In this post I will dive a little deeper and get to grips with some of the more advanced features of Visual Guard.
Visual Guard Dynamic Permissions
If you need to define permissions at the component level of your application, you need to use dynamic permissions. This will dynamically modify the components of your application by modifying the value of certain properties. Visual Guard also negates the need for any security code inside your application. All the security functionality is defined, stored and applied to your application by Visual Guard. This means that your application can already be used in a live or production environment and will not need to be rebuild or redeployed when permissions are added or changed. Let me illustrate this:
Sarah is a member of the Sales Team. Using the Login functionality added to your application (See Securing Your Application With Visual Guard – Part 1) by Visual Guard, she can log in to the application. From the main application window, select the Sales Orders screen from the menu
As you can see, the Sales Order screen has a group box that is a container for various text input boxes. It also has a button to create a new Sales Order ans lastly, it contains a grid displaying the Sales Orders. Note that all these controls are enabled.
If we wanted to restrict Sarah to only be able to view Sales Orders and not edit them in the Grid or Add new Sales Orders, we can easily do this in Visual Guard. To start off with, let us create a new permission under the Employees sub folder of the Permissions folder.
Name the permission ‘Sales Order Review Only’ and add it. After it has been added, it will appear under the Employees folder.
We now need to add a new properties action to this permission. Right click on the newly added permission and select the option from the context menu.
The Security Action Creation Wizard is displayed. As you can see, it lists the various forms in our application. We want to set permissions against the Sales Order screen. Select it, and click on the Next button (twice).
You will now see the controls contained on the Sales Order form. For this permission, I want to hide the create sales order button. Select it from the list and change the visibility to false.
To prevent the users from editing the sales orders directly inside the grid, we need to disable the grid. Modify the Enabled property and set it to False.
To disable all the text input boxes, you can select them individually or disable the containing group box which will filter the disabled property down to the contained text input boxes.
When you have finished setting your properties, you can click on finish. What we need to do now is to associate the user Sarah to a Role. As you can see, I have already created a Sales Team role under Roles. Select the Users folder and click on Sarah’s username in the list on the right.
From the Roles tab, click on the Edit Roles button. You can now select the Sales Team role for Sarah.
After you have added the required Role, you can verify that Sarah is a member of the Sales Team Role by clicking on the Sales Team role under the Roles folder.
The next step is to add the Sales Team Role to the Sales Team Permissions set. To do this, select the Sales Team Permissions from the Permission Sets folder and change the Roles property in the properties screen to the right.
Select the Sales Team role from the list of roles and add it to the list of current roles.
After you have added the Sales Team role to the Sales Team Permissions set, it will be displayed in the Roles property to the right.
The next step is to associate the Permission we added earlier to the Sales Team Permissions. To do this, we drag the Sales Order Review Only permission on to the Sales Team Permissions.
After you have done this, the Sales Order Review Only permission will appear under the Sales Team Permissions.
If Sarah logs in again, the security is automatically applied to the application controls in the Sales Order form.
You can see that the Create button has been hidden, that the text input boxes have all been disabled and that the data grid is also disabled.
Dynamic Permissions is a very powerful feature of Visual Guard. As you saw, it allows you to change any of the Visual Studio Control Properties. You can also create a permission once and associate it on any permission sets. All these permissions were applied to the application without recompiling it or changing any code at all.
Visual Guard Document Generation
Another one of the great Visual Guard features is the document generation functionality. In a small application like in the sample, the documentation is by no means sparse. Where the real value lies is in the fact that succinct, concise and accurate information is generated about the current security configuration of your application. You can see where this becomes valuable when you have many users, roles, permissions and permission sets. Generating this documentation is a breeze.
Right click on your application in the Windows Console and select ‘Generate documentation’ from the context menu.
The Generate a report screen is displayed which allows you to choose what is reported and where to export this report to.
Report generation is quick and upon completion, the report is displayed to the user for review.
This is all there is to it. The document generation has been made really easy to accomplish. This ensures that whenever anything changes with regards to permissions, the documentation can easily be regenerated assuring that it will always be correct.
Visual Guard Event Viewer
The Event Viewer allows you to view various events that have occurred in the system (Visual Guard or Application) over a defined period of time. This is easily done (again without any extra work on your part) by right clicking on the application in the Visual Guard Windows Console.
The Event Log windows is displayed. I must admit however that I almost expected it to be already populated with information. I then realised that it doesn’t default to having any information populated in the data grid. To view event information, you need to modify the filters and click on the Find button. This is good, especially if you have a lot of information in your event viewer.
The Filter Type allows you to select a specific event filter. Based upon your selection here, other filters can be displayed to you but for now just click on the Find button.
Relevant information based on your filter selection is displayed to you in the Event Viewer grid. This allows you to immediately take control of unauthorised actions should you need to. It can also display user actions on certain forms such as field modifications and additions.
Any of the filtered data in the event viewer can also be exported as a PDF document. This allows you to keep an audit log that you can submit to management should it be necessary.
Lastly, if you are using a database (SQL Server/Oracle) as your repository then the Event Log table is the only database table that isn’t encrypted. This allows you to be able to draw your own reports from this table using Excel, Crystal Reports or any other custom reporting tool.
Visual Guard Authentication
Visual Guard can accommodate many types of authentication. From the Visual Guard Website comes the following:
Form-based authentication – This is the standard username and password combination.
Single Sign-On (SSO) based on Windows Accounts – Users log on to Windows as usual. When they start the application, Visual Guard uses the current Windows account to authenticate the user against Active Directory. The result is that the user does not need to reauthenticate themself each time they start an application.
Mixed Mode Authentication – The same application can support both Login/password accounts and Windows Accounts. This means that you can authenticate internal users with their Windows Accounts and external users with a username and password.
Define a Password Policy – For better security, you can declare rules that Visual Guard will enforce when the user defines his password.
Web Single Sign-On (Web Portal) – Federate several websites that may be placed in independent networks or companies. The user logs in once when entering the first website, and jumps to another website without entering his credentials again.
Identity Federation – Federate several Active Directory repositories belonging to distinct networks or companies. Administrators declare Windows accounts or Windows groups from these Active Directories in a central Visual Guard Repository. Then, the corresponding users can access the applications secured by the system. As a result, you get one central security system, although users are spread over several independent Windows domains.
Remote Windows Authentication – If a Windows application (Winform or WPF) is executed from a remote post (for example, a PC connected to the internet that does not belong to the same domain as the user’s Windows account), the user will enter their Windows credentials and Visual Guard will authenticate them.
Off-line mode (remote users) – If using a Winform or WPF application, the user can always enter the application, even if it cannot access the Visual Guard Repository. Visual Guard includes an offline store that contains the user permissions on the client-side and logs the user’s operations in the application. When the application regains access to the Server, the offline store is automatically synchronized with the Visual Guard Repository.
Visual Guard Groups
Groups enable true Multi Tenancy in Visual Guard. You can create a user to administrate the users of a specific group. This means that a non-technical user can easily be tasked with this role of basic user administration (Change user permissions, add or edit users). You can then grant this user access via the Web Console tool.
The Web Console tool can then also be branded further to represent your company logo and in doing so, create a unified look and feel to your user administration and permission configuration with the rest of your company systems.
Visual Guard Server
The Visual Guard Server allows you to secure non .NET applications that are not able to directly access the repository (or have no access to the database), and/or applications capable of https or SOAP requests (Java, Delphi, C++, etc…). Non .NET applications can unfortunately not use reflection, so they therefore need to use a Web Service to read the permissions set up in the Visual Guard repository. In other words, if your application can call a Web Service, then you can use Visual Guard Server to secure it. This expands the functionality of Visual Guard to beyond the reach of .NET, making it appealing to other application developers too.
Check Security Actions
Visual Guard allows you to check the Security Actions of your repository. This ensures that all the permissions you have set are still valid. To do this is as easy as selecting the option from the context menu.
Managing Identity Federation With Visual Guard
Visual Guard allows you to grant access to your applications to user accounts defined outside Visual Guard. An example of this would be accounts defined in Active Directory. The challenge exists when not all these accounts are defined in a single location, but rather across multiple identity stores. Furthermore to this, giving access rights to these is also not easy if they are each defined in their own Active Directory.
An example would be an application developed that is to be used by three different organisations, each with their own Active Directory. The development team programming the application will integrate Visual Guard into the code and create the repository to store the permissions for this application. The application and repository is then deployed in the production environment.
Next, an administrator from each organisation will select the windows accounts that are to have access to the application. This is done by using a tool provided by Visual Guard. The users are now able to access the application via the Internet using their Windows account. Accessing the application via the Internet will display a login form to these users where they need to select the appropriate type of authentication and log on to access the developed application.
Deploying The Visual Guard Repository
Visual Guard allows you to deploy the repository to the application’s production environment. Your development team can therefore create the repository and deploy it to live. Any changes can then be made to the development repository before putting it live. There are four methods of deploying the Visual Guard Repository:
- You can directly copy the Visual Guard tables and data from the source to the target database. This is the simplest solution, but keep in mind that you can only copy the full content of the repository and not a part of this repository because Visual Guard stores its data in a binary format.
- The second method is to make use of the Visual Guard Console that provides a Wizard to help you with the deployment. You can perform a full deployment or you can deploy only the data corresponding to the application. To do that, connect to the source repository and then right-click it. From the context menu, select the option ‘Deploy repository’.
This wizard enables you to directly deploy your repository into another one or export data as a deployment configuration file.
You can also select to deploy an application, to deploy the repository or to deploy the parameters of the repository.
- The third deployment method is through the use of the deployment tool. This tool uses the deployment configuration file exported by the console. It can be launched as a command line tool that allows you to automate your deployment.
- The last method is to use the deployment API. The API allows you to integrate the deployment in a custom program and uses the classes located in the ‘Novalys.VisualGuard.Security.Deployment’ (assembly: vg_deployment.exe) namespace.
Final Thoughts
Visual Guard allows you to define many systems (utilizing different technologies) from one console. You can manage them all including their securities from one central place. This is the beauty of Visual Guard. Visual Guard also supports complex configurations such as SAAS or multi-tenant (Visual Guard Groups and Active Directory). It is also compatible with security standards such as HIPPA and SOX and allows for full auditing and documentation.
Visual Guard also allows for the management of the repository via the Windows or a Web Console. It is therefore possible to split the responsibilities of the management of the repository. You can delegate the basic administration of users and permissions to a single user that can access the repository via the Web Console. You can then also allow the technical department to access the same repository via the Windows Console to allow for the configuration of more technical settings and actions. This allows for a clear separation of responsibilities.
Visual Guard is an excellent out-of-the-box choice for developers or organisations looking to secure their investment of source code. The granularity with which Visual Guard secures your application provides developers the best possible flexibility and configuration of permissions and securities without having to invest the time it takes to develop it themselves.
Disclosure of Material Connection: I received one or more of the products or services mentioned above for free in the hope that I would mention it on my blog. Regardless, I only recommend products or services I use personally and believe my readers will enjoy. I am disclosing this in accordance with the Federal Trade Commission’s 16 CFR, Part 255: “Guides Concerning the Use of Endorsements and Testimonials in Advertising.”