Protecting Flavor with password
This is my first blog hope i share something useful.
In personas 3.0 i have created many flavors but i was thinking how to protect it even though it is assigned to some specific users, so I came up with this idea.
I wrote a script and attached to OnLoad event to get the value from the user and check it in the script, If the user enters the correct password the flavor gets displayed if the entered password is incorrect the flavor will be changed so that he cannot access the main flavor.
In order to prevent continuous execution of the script on screen refresh I have placed a text box and defaulted the value to 0 and changed the value to 1 if the entered password is correct, during the script execution first the value of the textbox is checked if its zero and then proceeds further. The code will be like given below.
if(session.findById(“wnd/usr/txtPersonas_1457446845746”).text == “0”) // Check weather the script executes first time or not
var pass = prompt(“Enter the Password…”); // get the password from user
if(pass == “personas”) // check the password
session.findById(“wnd/usr/txtPersonas_1457446845746”).text = “1”; //Change the value in the textbox if password is correct
session.utils.changeFlavor(“0021F60F04171ED5B9ACE21062731D05”); // Change the flavor if the password is incorrect
A textbox prompting the password will be shown. I could not achieve hiding the password entry like “********” yet , I am working on it once i do it i will update this post.
The next is the flavor to which the control changes, we have to customize the flavor with appearance like “blocked” or “not authorized” and give a back button or try again button so that we can reenter the password. On clicking the back button it should take you to the main flavor. I have customized the flavor and it look like this
Hope this was useful post. Thank You.
Why would you give a user access to a flavour you don't want them to use?
How do you propose to stop users from using the browser developer tools to see the source code for the onLoad script and hence discover the password?
I am a newbie and sorry if I am wrong. I am thinking of the end user perspective if he continues to use personas and for a couple minutes he leaves the desk then there is a chance that someone accessing the flavor.
I could not find a way to access the OnLoad script using the developer tools. Correct me if am wrong.
Leaving your desk with your PC unlocked opens you up to more problems than just accessing a Personas flavour. If that's the problem you are trying to solve, this isn't the way to go about it.
To find the source for the onLoad script you just need to set a breakpoint at a suitable place and start stepping through. A familiarity with the internals of the Personas client helps.
The bottom line is that a Personas script is not the place to implement security.
Thank You Steve for enlightening me.
You can bypass the onload script using URL parameter suppressOnLoadEvents=x which breaks your flavor security
Welcome to SCN and to SAP Screen Personas.
I think this approach could be useful as an advanced saveguard, to prevent users from accidentially doing an action that should be re-considered. For example before deleting a document.
On a Blackberry phone it would ask you to type the word "Blackberry" before triggering a security wipe - just to be sure that you were paying attention. This is similar.
However of course the other commenters are absolutely correct in that SAP Screen Personas must not be used for security. We are calling this out in SAP Note 2050838.
SAP Screen Personas
Thank You Sebastian, looking forward to gain more knowledge in Personas.