Sonic Forms Security

Updated on

Sonic Forms are built into RiSE and uses RiSE security for configuring and controlling access to Sonic Forms pages. Depending on your iMIS version, you can limit access to a page by:
  • Specific iMIS Roles
  • Specific iMIS users
  • Specific iMIS Member Types
  • Specific iMIS groups
In general, these options will allow you to either force a user to login or provide an "access denied" message. Sonic Forms allows you to offer more complex and optimized workflows on top of the basic iMIS security model.

Page Level Access Control

Sonic Forms users can control access to a specific page where a Sonic Form is deployed using the VA Redirector which is included with all Sonic Form installations. See the documentation for details on the use of this tool.

 

Form Level Access Control

For more advanced applications and scenarios, Sonic Forms offers an additional level of security using a Stored Procedure that will grant or disable access to a specific form for individual users, groups of users or based on dynamic data. A stored procedure is invoked which checks to see if a given user is able to access a form. The Stored Procedure is called “sp_va_ff_ValidatedID” and it takes three parameters as follows:
  • @UserID – ID of the logged-in iMIS user.
  • @TargetID – ID of the user whose data would be updated by the form
  • @FormName – Sonic Form Name that is being accessed

The sp_va_ValidatedID procedure is called every time a form is loaded. If the stored procedure does not exist then a default stored procedure is created by Sonic Forms. This default procedure has the following attributes:
 
  • If the user's role is System Administrator or Content Administrator then grant access
  • If the UserID = TargetID then grant access

If neither of these conditions is met then the user is denied access to the form with the following message:

Sorry - you cannot access this form on behalf of this user.
 

Allowing Form Access

The use of the @FormName parameter allows for granular control of access to forms. For example, you may have membership forms beginning with "MEM%" that should be accessible to one group but a set of Company Administration forms beginning with "COADMIN%" that should only be accessible to a group of users who are approved Company Administrators.

Here are some sample use cases:
  • Check the membership renewal status of the TargetID and deny access to the form if they have not paid their dues.
  • Restrict access to a program application form if a staff approval step has not been completed.
  • Prevent new members with less than one year's tenure from applying for an advanced membership benefit.

Allowing Secure Third-party Form Access (see also User Impersonation)

The use of the @TargetID parameter allows for specific scenarios where an authorized user can view or update information on behalf of another user. When a person is accessing their own information then the values of the @UserID and @TargetID parameters will be identical, however, when an authorized third party (e.g. Chapter administrator) is expected to complete a form for a third party, the sp_va_ff_ValidatedID procedure can be used to see if the UserID has specific rights to view or update the TargetID's information.

For example, a student applies for a mentorship program and gives consent to share their information with a mentor. The mentor can be allowed to view a Sonic Form providing contact information for their mentee along with their application information. A URL such as the following would be used:
  • /programs/mentorship/menteeprofile.aspx?ID=23545
where "23545" is the "TargetID" or the ID of the mentee.

When the mentor visits this page using this URL, the sp_va_ff_ValidatedID stored procedure will check to see if the mentor has rights to view information for TargetID 23545 on a Sonic Form called "MENTEE_PROFILE". If they are authorized then the form will display, otherwise it will  not be available to that person.

Help with Stored Procedures

Using stored procedures is a powerful techique that allows you to transform your data and achieve your business goals. If you are not comfortable with using SQL and creating stored procedures then you can:
  • Attend an upcoming NiUG or other training seminar
  • Contact your authorized iMIS solution provider for assistance
  • Contact Visual Antidote for assistance
There are also extensive resources and training information available on the web to help you.