Dealing with security assignments

I wonder if anybody has some really big projects and if so - how you deal with security assignments ?
I have huge project with around 250 tables, over 500+ apps and 12 different security groups. Each group have its own set of apps and privileges, but there are also apps with full access to all users.

When I open the Groups-Apps (autogenerated form) the list is humongous (even if filtered by the group).
Going through the list and editing privileges is a test which takes huge mount of time and it is very easy to make a mistake.

I wonder what are your thoughts or tips to maintain all this ?

Definiting all the groups is a burden but a one-time job. The only option I see is to make a module yourself, where you create application groups of applications that belong together and share the same security. But it is only an option if this situation applies to you. Another option is to create a maintenance module with selectable checks or select boxes and move them over in batch. But I don’t see an out-of-the-box solution. But I agree on your point, the security module is not the most user friendly to say it nicely.

Not only unfriendly but the database structure is very, very poorely designed. the main table with the users does not have even an UID key which speeds up searches , indexing and koining tables - huge downside

Why does uid speed up searches? The datatype is not supported by all supported databases. In php it is a string. Searches on unique int is by far faster imho. Besides that, the current module is virtually the same as ages ago. But in general I agree with your points.

Hi,
I use the concept of a role that includes one or more applications. The user configures security by groups and roles or functionalities.
When I make new applications I have a script to insert all the new applications into their role or functionality.

For example, if you have 10 applications managing clients (grid, forms, control, etc.) all of them are under the same functionality and the user only configures this one.

Regards.

I prefer to create different folders in the project with prefix for any Scriptcase app (e.g. admin_xxxxx for group administration), so when you access the admin panel you can filter by prefix.
It’s an idea that solves some problems, but not all.

I do similar, but have my own Prefixes not related to the groups

I find the security system very good.
maybe none of you have worked with IBM AC systems on S38 or AS400. Even the systems on VAX are very complex.
it is important to do a good job at the table dividing the users and identifying the common APPs, the default ones. it helps a lot to use the ISO methodologies

I worked even with older IBM systems SC’s security system is what I would call ‘standard.’ It is perfectly fine but by no means exceptional. Multiple roles for people can be an issue, at least it was. Not sure if SC has changed that.

“use the ISO methodologies” ? can you explain whay you mean ?

For me the major culrit is the App asignment. Some of them are shared with all groups, some designated for specific groups, some for Admins only, some (Login) has no security at all. I have project with almost 600 Apps and it is a pain on the ass to keep track of these assignments.
We use App prefixes, which helps a little but does not solve the problem completely.

The database structure is very poorely designed (ie. sec_users table does not even have a PrimaryKey on numeric field (which is almost a MUST). Relationshps are buit on text fields instead of numeric which is turn slows down database processing (unless one implements VIEWs).

Old technology and old concepts. It works but is quite inconvenient. I am working on figuring out some method to simplify App permissions… but with keeping an existing structure it is very hard.

I don’t like the security module because of the complexity and maintenance burdon. The principle of application groups is not implemented. The only way around it, is to hack the standard modules and adapt to your own needs.

I made an adaptation grouping the apps in a role, so I only manage the security by roles and groups, and then I copy the permission in the apps, but for the users it is easier, when you have 1000 apps…
For example I have a role that is User Management, which has several apps, when I manage the permissions for that role it transfers them to the apps.

I have my own application to register apps and assign them to roles.

These are some ideas that I have implemented in my security module that may be useful to someone else:

• Create new user like other. I bring all groups for user XX for example when admin add a new user
• Copy permission from Source Group to Target Group
• Added in filter group for Groups/Apps a radio button with Active, Inactive or All permission
• In Users by group, added a button to assign user to group using a double select
• Apps by group. Show in a grid group, app and permissions by app. You can filter an app and see all groups is assigned for example.
• I added a link in groups that show all users belonging to that group
• In Users grid added the groups assigned for the user
• IPs white and black lists.

gbillot3 - I am about to implement IP filtering (on a project level). That is if the user current IP matches the one in dB the users can access the project, if not he is denied.
Can you elaborate bit more how you use the IP monitoring and how it works for you. Any problems or issues ?

hi @aklass I created a table sc_logged_white with a range of ips: id, ip_from, ip_to and description

OnLoad event of the app_login the app checks if the ip is between any range of the table. If matched redir to app_login else exit or redir to blank app with a message.
Also I use this to add the ip to the black list table if the login fails 3 times. If the IP is in the white list, I did not block the ip for 3 login fails.

$wip = $_SERVER[‘REMOTE_ADDR’];
SELECT *
FROM sec_logged_white
WHERE (INET_ATON($wip) BETWEEN INET_ATON(ip_from) AND INET_ATON(ip_to))

Regards.

1. why you use IP range not a single IP / per user computer ?
2. how you deal with situations when the user is using VPN, PROXY etc…?
3. Have yo uever had a case where IP cannot be read from the user PC?
4. if the user users only IP v6, but another is using only IP v4, what you do ?

Hi
in my opinion, the security aspects are best addressed through firewall + waf devices.
Covers most of the possible security issues of an application.

Actually… maybe…
I mean, if you can fully rely on the hosting party, then probably yes. But, imho, I still try to make my application as secure as possible, no matter what technical configuration is around you, especially when you deploy on customers’ servers.

Of course, it is a combination, the application must be secure, but it cannot ignore current technologies in the security architecture of the application and protection against threats, because it is not possible to replicate them at the application level.
DoS/DDoS attacks, bot attacks, zero-day attacks, analysis of files uploaded to the application, reputation analysis and geolocation of connecting ips, malware, as well as protection against typical CSS, SQLi, CSRF, XSS, etc. attacks do not make sense to implement them completely in the application although the application plays its role and can be protected in some way, but it will always have limitations, for example how do you protect against injection in the code generated by scriptcase?

From experience, I can tell you that 90% of compromised websites, web apps, and databases aren’t breached because of the applications themselves—but rather due to the servers hosting them. Attackers rarely bother trying to “hack” a specific site or app. Instead, they usually target the servers, because why waste time and effort exploiting a single application when you can steal everything at once—all apps, all databases? Security depend heavily on the server, configuration, whether its software is up to date, protections in place (firewalls, open ports, redirects, etc.)