Skip to Content

This is my first blog hope i share something useful.

In personas 3.0 i have created many flavors but i was thinking how to protect it even though it is assigned to some specific users, so I came up with this idea.

     I wrote a script and attached to OnLoad event to get the value from the user and check it in the script, If the user enters the correct password the flavor gets displayed if the entered password is incorrect the flavor will be changed so that he cannot access the main flavor.

     In order to prevent continuous execution of the script on screen refresh I have placed a text box and defaulted the value to 0 and changed the value to 1 if the entered password is correct, during the script execution first the value of the textbox is checked if its zero and then proceeds further. The code will be like given below.

if(session.findById(“wnd[0]/usr/txtPersonas_1457446845746”).text == “0”) // Check weather the script executes first time or not

    {

var pass = prompt(“Enter the Password…”); // get the password from user

if(pass == “personas”) // check the password

   {

    session.findById(“wnd[0]/usr/txtPersonas_1457446845746”).text = “1”; //Change the value in the textbox if password is correct

   }

else

  {

    session.utils.changeFlavor(“0021F60F04171ED5B9ACE21062731D05”); // Change the flavor if the password is incorrect

  }

}


A textbox prompting the password will be shown. I could not achieve hiding the password entry like “********” yet , I am working on it once i do it i will update this post.


       The next is the flavor to which the control changes, we have to customize the flavor with appearance like “blocked” or “not authorized” and give a back button or try again button so that we can reenter the password. On clicking the back button it should take you to the main flavor. I have customized the flavor and it look like this

Hope this was useful post. Thank You.

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Steve Rumsby

    Why would you give a user access to a flavour you don’t want them to use?

    How do you propose to stop users from using the browser developer tools to see the source code for the onLoad script and hence discover the password?

    (0) 
    1. Vigneshkkar Ravichandran Post author

      hi steve,

           I am a newbie and sorry if I am wrong. I am thinking of the end user perspective if he continues to use personas and for a couple minutes he leaves the desk then there is a chance that someone accessing the flavor.

           I could not find a way to access the OnLoad script using the developer tools. Correct me if am wrong.

      (0) 
      1. Steve Rumsby

        Leaving your desk with your PC unlocked opens you up to more problems than just accessing a Personas flavour. If that’s the problem you are trying to solve, this isn’t the way to go about it.

        To find the source for the onLoad script you just need to set a breakpoint at a suitable place and start stepping through. A familiarity with the internals of the Personas client helps.

        The bottom line is that a Personas script is not the place to implement security.

        (0) 
  2. Sebastian Steinhauer

    Hi Vigneshkkar,

    Welcome to SCN and to SAP Screen Personas.

    I think this approach could be useful as an advanced saveguard, to prevent users from accidentially doing an action that should be re-considered. For example before deleting a document.

    On a Blackberry phone it would ask you to type the word “Blackberry” before triggering a security wipe – just to be sure that you were paying attention. This is similar. 

    However of course the other commenters are absolutely correct in that SAP Screen Personas must not be used for security. We are calling this out in SAP Note 2050838.

    Cheers,

    Sebastian Steinhauer

    SAP Screen Personas

    Product Owner

    (0) 

Leave a Reply