Unexpected data exports in Relational Reporting and XML Export with multiple roles

Last update: 31 January 2018

Summary

You export data with Fabasoft Relational Reporting, XML-Export by XSLTransformObject or other methods to export data from Fabasoft Folio. Your user has more than one user role with different access rights to the export data. 

In this situation it may occur that your exported data include data that your current role should not be able to access (but other roles would), or data are missing.

This behaviour is caused by a feature called "Automatic role change". This article explains how this feature works and how you can avoid an automatic role change on data exports.

Information

Automatic Role Change

If a function tries to read or write data to an object it cannot access because of the ACL, the Fabasoft Kernel examines if the user has a user role that is allowed to access the object. If a valid user role could be found, the Kernel automatically changes to this user role and can access the data. Inside one Fabasoft Transaction, the Kernel will only fullfill one single role change.

After this automatic role change, the Fabasoft Kernel continues to access data with the changed user role. If - inside the same transaction - the Kernel hits an object that cannot be accessed with the new role, it will not do another role change but stays in the latest role. Therefore, it cannot access the objects.

On exporting data, with Relational Reporting or XSLTransformObject, this behavior may lead to export results with data that cannot be accessed with the initial user role, or missing data that should be accessable with the initial role.

 

Solution

There are two possible solutions to disable automatic role change. Use the best matching way for your use-case.

Solution 1: Disable Automatic Role Change in User Environment

The User Environment include a property usrenvnorolechange that is not accessible in the user interface.

With fsceval (Windows and Linux) or Expression Tester (exprtest.exe - Windows) it is possible to change the property:

Example:

Presumption is, COO.2010.100.1.12345 is the user environment of the user.

COO.2010.100.1.12345.ObjectLock(true, true);
COO.2010.100.1.12345.usrenvnorolechange = true;
cootx.Commit();

Solution 2: Disable Automatic Role Change by Transaction Variable

Inside the used transaction, set the following transaction variable:

#TV.TV_NOAUTOROLECHANGE = true;

Fabasoft Folio 2017 and above

As the Automatic Role Change is deprecated since Fabasoft Folio 2013, starting with Fabasoft Folio 2017 the feature is removed. 

 

Applies to

  • Fabasoft Folio below 2017
  • Fabasoft eGov-Suite below 2017