Is it possible to secure(block) scripting?

[JeffHamel]

Hi everybody!

I'm currently working on a project wich will be used by a lot of people with limited access to most of the content of the Repository by these people. We have created different security groups to control wich actions are permitted on a package/diagram/element/... to a group of users.

Now, is there a way to block script edition, creation or execution to a user? The fact is, even if you don't give a user the permission to modify an element in the repository with security, if he can write a script he will be able to do almost whatever he wants. Am I right?

Maybe I just missed something and this question is impertinent. If it's the case sorry about that, but can you give me a hint of what we should do to properly secure the repository?

Thank you!

Jeff

[Paulus]

Hi Jeff,

I think you are right: if a user has access to script he can do almost anything.

I would allow untrusted/public users only access to a website generated from the repository, or supply them with EA Lite (http://www.sparxsystems.com/enterprise_architect_user_guide/introduction/ea_lite.html).

If that is not an option because the users must be allowed to make certain changes to the model then use the professional edition of EA as it doesn't support script execution (check http://www.sparxsystems.com/products/ea/index.html#editions).

If you are trying to prevent users from making mistakes then you might consider to merely hide menu items/commands related to scripting (and also hide those menu items/commands that allow a user to change menu items/commands/workspaces  )

best regards,

Paulus

[Geert Bellekens]

There's indeed no security permission for scripting.

On the other had you should consider that you will never be able to stop malicious users from doing something wrong with the model.

If they are savvy enough to know how to use the scripting in EA you won't  stop them by disabling it. Then they would just write an add-in, or an external script. Hell, you can even use Excell's built-in VBA editor to access EA and execute scripts .

So all you can do is politely ask people to behave according to the rules, (and use version control and backups in case that backfires )

If on the other hand you want people to only have read-only access, you should indeed use EA-Lite, but most importantly, use a "real" database and set the security on the database level.

Geert

[JeffHamel]

Ok, thank you guys!

This is quite what I thought it was, I guess we just have to deal with it. Like you said Geert, even if we find a way to disable scripting for some users, there will still be a way to modify the repository with an Excel Vba script.

We use an Oracle database for our repository, so I think it will be rather simple to set the security on this level and to keep an eye on users's actions. I will also discuss with my colleagues wich version of EA common users will be using according to needs.

For what I've learned already, if there's a way to do something you don't want to be done, someone will find a way to do it someday. Even if it's not his intention to do wrong.

Thanks again for your help!

Jeff

[qwerty]

You might add GRANTs for single tables based on DB authorization. But that might proof to be tricky and eventually will fall on your feet with all its weight. The table in question is t_script.

q.