At last I have found a product, which solves a problem I have always had as a developer: how to easily secure my applications according to the users' profile.
I can't remember how many times I was asked to develop an application and then, when it was implemented, to urgently add the possibility of blocking access to a part of the application to some users. I end up modifying the application in order to add the notion of "role" or "profile" for the sole purpose of hiding a menu. Once you start studying the problem, you realise you're going to have to store information somewhere, and then develop screens to manage the users and the profiles, etc.
Of course, I have developed my own solutions that I try to re-use from project to project, but this solution has nothing to do with what Visual Guard offers. Indeed, Visual Guard provides a complete framework, which allows identifying and validating user profiles. It also has an administration console, which simplifies the management of the whole thing.
When I began studying Visual Guard, I was afraid it would impose a very strict security model which would therefore compel me to adapt the specificities of my screens to its own constraints. I quickly found out that Visual Guard is not very intrusive in the application code. This is one of Visual Guard's very specificities. The implementation of security is practically completely separate from the rest of the application. During my tests I even managed to integrate VG in an application, which was already written.
How does Visual Guard work?
First you have to integrate the Visual Guard runtime to the application. To do so, you need to add VG's assemblies' references to your project and add the code which will open the dialog box when you launch the application. The project on which I tested Visual Guard already had its own login window. I only had to replace the call to my authentication method by a call to Visual Guard's one. Visual Guard even allows you to use your own authentication system (like the Windows login or the database's one).
And then...well, that's it. At least for the coding part! I told you Visual Guard wasn't intrusive, didn't I? To be totally correct that's enough if you only want to modify objects (grey out buttons, hide fields...). Otherwise you also have to insert a line of code in the constructor event of your object.
Everything is then managed through the Visual Guard console. You open the console and with the help of a wizard, you create a repository. The repository will contain all the information related to security (users, profiles, permissions, etc.).
I was glad to find out that the repository is multi-application; the users are defined once and they will be recognized by all the applications secured with VG: the permissions are managed in a single tool. Once the repository is created, you state which application you want it to secure. Then you define the permissions and restrictions which will be granted to the users, such as "Allow orders", "Hide the wages"...
You then indicate what the technical actions are for each permission. For instance to "Hide the wages" you need to switch the property "visible to "false" in the form "employee" and then in the textbox "txtSalary" and the label "lblSalary".
These are the actions Visual Guard will execute dynamically if a user is associated to the permission "Hide the wages".
Then you have to create a set of permissions. A set of permissions is a group of permissions which can be attributed to users (for example: a set of permissions can be all the permissions associated to sales, or all the permissions associated to sales managers).
You have to create profiles as well. A profile will gather the users who have the same use of the application (for instance: the sales people and the sales manager).
Finally you attribute a set of permissions to a profile and the appropriate users to that profile.
Once these elements are created, you can launch the application. When the user is identified Visual Guard automatically applies the permissions in the application (for example, if a sales person enters the application, the field "wages" will be hidden)
Visual Guard's strengths
Visual Guard provides a complete solution regarding the security of applications. It is user-friendly and brings an original approach since the security management is separated from the rest of the code. This facilitates immensely the evolution of security rules in the application.
Another key feature is that thanks to the console, the management of users can be delegated to non-technicians administrators. The development team doesn't have to intervene on these tasks anymore.
Visual Guard's weaknesses
The application's customisation by Visual Guard is very elaborate, and one could be tempted to use it for other tasks than security. You have to be careful about this approach. Making an application more dynamic can add a level of complexity rending maintenance difficult.
Today, the list of the users must necessarily be captured in Visual Guard. I would have liked to be able to have access automatically to the users' list of my domain (or those of Active Directory). After discussing with the tool's support team, this feature will be included in the next version.