I'm working on a project on VB.NET that requires multiple clients to access the software simultaneously. However these clients will be having different levels of authority on the software such as some will be Admins, some will be Managers, some will be Users.
As pictured, the Users will have only certain features of the software available to them and Admins have full control on the software.
I will be asking the clients to identify themselves when they start the software, maybe through a Username and Password. Once identified, the forms application should show only relevant forms and controls to them.
How do I develop my code so that I can incorporate User profiling? Are there any industry-standard ways of going about with this?
I would look into role-based security as a good starting point. Here is an article I found that gives an example of doing this - http://msdn.microsoft.com/en-us/library/aa480723.aspx It is a bit outdated (2006), but I think the concepts should be current.
HTH
Wade
Related
What considerations are needed when creating a web app that is intended to be used in an industrial plant setting for a company? My specific use case is an industrial facility with several different production plants that would each have its own device for the application interface.
How do companies enforce the usage of such apps on a monitor/tablet? For example, could I prevent them from using other stuff on the tablet?
Importantly, how would security work? They'd share a device. There may be multiple operators that use the app in a given shift. Would they all use the same authentication session (this is not preferable, as I'd like to uniquely identify the active user)? Obviously I could use standard username/passwords with token based sessions that expire, however, this leaves a lot of potential for account hijacking. Ideally, they'd be able to log on very quickly (PIN, perhaps?) and their session would end when they are done.
As long as there is internet connection, I would presume that there isn't much pro/con regarding the use of native applications versus web based or progressive web apps. Is this assumption correct?
What's the best way of identifying which device the application is being run on?
Is this a common thing to do in general? What other technologies are used to create software that obtains input from industrial operators?
--
Update - this is a good higher level consideration of the question at hand, however, it has become apparent why focused, specific questions are helpful. As such, I will follow up with questions that are specific.
Identifying the Area/Device a Web Application is Accessed On
Enforcing Specific Application Use on Tablets
Best Practices for Web App Authentication in Industrial Settings
I'm not able to answer everything in great detail but here are a few pointers. In the environment as you describe we usually see these two options. 1) you tell them what you need, internet, security, if they give you device and how it will be configured 2) they tell you exactly what you need to deliver.
I do not think you can 100% prevent them. We did it by providing the tablet( well laptops in our case) and the OS configuration took care of that, downside we had few devices to support. You seem to hint that there is always an internet connection so I guess you can collect all info about the system and send it back to you daily?
We were allowed to "tap" into their attendance SW and when you entered the facility you were able to use your 4 digit pin to log in if you were out of premisses you could not log in at all. I can imagine the following: you log in with your username and password - this does full verification, after that, you can use 4 digit pin to login for next n hours.
maybe, kinda, depends on what you are doing. Does the browser have all features you need? Our system needs multicast to perform really fast, so we have a native app
touched on this in 1. You could also use device enrolment process. You can also contractually force them that there will be only your software and it may invalidate support contract. It really depends on your creativity. My favourite( and it works - just tell them, there will only be installed my software and if not you will pay me double for support. I only saw one customer who installed some crap on the device when there were told not to
it really depends on what industry you are talking about, every industry is different. We almost always build a custom solution
The enforcement of the device/app usage depends on the customer, if the customer asked for help in the enforcement, then you can provide guide, training and workshops. If the customer serious about the enforcement then it will be a policy that's adapted by all the organization from top to down. Usually seniors will resist a workflow change more than juniors, so top management/executive should deal with that. Real life story: SAP team took 6 months to transform major newspaper workflow, during that few seniors got fired because they refuse to adapt the change.
Security shouldn't handicap the users, usually in industrial environment the network is isolated or at least restricted through VPN to connect multiple sites (plants in your case), regarding the active user: we usually provide guide/training/workshop for the users and inform them that using colleague account or device will prevent the system from tracking your accomplishment/tasks, so each user is responsible to make sure the active account/device is the one assigned to him/her.
It depends, with native you have more controls than web, but if the app is just doing monitoring then most of today apps use web for monitoring and the common way to receive input is REST APIs (even if the industrial devices doesn't support REST API, a middleware could be written to transform the output). If you need more depth about native vs web you need to ask new question with more details about the requirements.
Depends on the tech you are using (native or web), and things I mentioned in point 2: you can use whitelist of devices that's allowed to run the app. overall there are many best ways to track down the device.
How common in general? I think such information can only be achieved by survey, the world full of variations. And having something common not mean its safe or best, our industry keep changing at all levels. So to stay in the loop, we must keep learning and self-updating without reboot.
When installing the latest intellij, I was reading the privacy policy and came across this:
We use third party service providers as discussed in this section. We also use third party service providers in other circumstances; a complete list of the reasons in which we use third party service providers can be found here.
The word "here" links to this page, which as of this writing contains only a list of links to other privacy policies, and NO information about how these 3rd parties are used or what data is shared with them (despite the text in the policy itself claiming the page contains this information).
Does anyone know HOW and WHEN the following services (copied from the above wiki page in case it changes) are used by Intellij?
Survey Gizmo
Statwing
QuickTap Survey
Facebook
Google
Microsoft
LinkedIn
Yandex
Twitter
Adyen
Crazy Egg
The survey ones are fairly obvious what's probably going on, but what data, is shared and under what circumstances with some of the others could be important. In some cases folks might be working on projects meant to be kept secret, or might have personal or ethical reasons to avoid having a presence on some of those services. Without knowledge of which features send data to these providers, and what data is sent it's hard to agree to the policy.
One might also argue that the failure to specify as claimed in the policy means they don't get to send any data, but nobody wants to bother with that legal mess... particularly since they could change their wiki after the fact, and then one has to prove what it said at the time etc. The alternate argument is that the lack of specification implies they might share any and all data...
Does anyone know of better information about how Intellij uses these providers? Googling just got me lots of links on how to install Facebook SDK etc...
The privacy policy page shows links to the privacy policies of services used by the JetBrains Web site, marketing activities etc. As of version 2016.2 and all earlier versions, IntelliJ IDEA does not connect to any of those services, or send any data to them, from the product itself. I (a member of the JetBrains management team) am also not aware of any plans to start doing so in the future.
(Note that third-party plugins not developed by JetBrains do sometimes use those services.)
None of our downloadable IDE's or tools send back any sort of confidential information at all. The only information that is sent is anonymous usage data and ONLY with the consent of the user. Even accepting the Privacy Policy does not imply you have to send back data. It's completely opt-in.
Beyond that, the only other information sent is performance data, exceptions and other information which again requires explicit user action and consent.
The Privacy Policy covers every software and service we provide at JetBrains, including but not limited to our installable tools, services, our web sites, surveys we may run etc. The services you mention are all related to our web site, e-shop, social media promotions, any advertising campaign and/or any surveys we may run. Our tools do not use any of those services.
Concurring with my colleague Dmitri, we do not however control what individual plugins may or may not do.
We do appreciate your feedback however and we will take steps to make it clearer on the page.
There are a number of free finance tracking sites out there like mint.com, wesabe.com etc.. .
I've tried all of them and all seem to miss the mark in one way or another. I'm interested in creating my own website, or possibly just a stand alone windows program for tracking my finances in ASP.NET or C#.NET.
I'm assuming the answer is no, but is there any way that a personal developer can download transactions from financial websites like these? I know once you login to most financial sites you can download a CSV or Quicken file. Yet I really like how I can log-in to my Mint.com account and update all my accounts with one click.
Popular applications (like Quicken) and most major US banks support Open Financial Exchange (OFX). If a bank can connect to Quicken, it probably supports OFX (though not guaranteed).
I doubt very many banks have public APIs for this. More likely than not, you will need to send HTTPS requests to the various banking websites, and you will probably have to have custom code for each bank that you wish to support, tailored to the structure of their websites and their form elements.
I am developing software which I want to sell online. The typical pay the vender, get a digital key that unlocks the application scenario.
I've never set this up before, does anyone have any info on good service providers, and things I need to know when setting this up?
Microsoft uses digital river, maybe check them out?
You can checkout a typical license acquisition flow using FastSpring
FastSpring / NetLicensing flow
This combines FastSpring e-Commerce and NetLicensing license management.
You did not say what language you are planning on using, but this is a great solution for a .net compiled language:
http://xheo.com/products/copy-protection
It provides two key features. First the ability to automatically generate your licenses based on many different ecommerce solutions so you don't have to keep paying a 3rd party a % for it. Second, it offers code protection to prevent people from using Reflection on your software to crack it / steal your intellectual rights. (note i said prevent, not completely stop)
I'm using FastSpring, you give them binary file and keys, and you setup your account to send an email that contains these two informations. you can tell them what you want and they will do it for you
This question is an open question since it's not bound to a programming language:
Is it a bad idea to provide users an auto-login feature? Why?
I've been reading a couple of papers arguing that auto-login feature on web development leads to many user having trouble with "hijacked" accounts. However, I would like to read a real answer/comment from someone with experience on this matter.
Well, I think it totally depends on the audience which is consuming the services you are providing.
If you are in an intranet environment, then it is a good idea to enable auto login features. Provides more luxury to the users. But still you must check in the background the application access level for each particular user.
In an internet environment you have much less control - more likely to say no control - of who is going to use the application. Therefore there you should have an authentication mechanism in place and do not provide any auto-login features except through cookies.
HTH