>I was wondering about what most of you do for prompting users to login to your applications, if at all.
>
>Do you/your clients generally require this or are your applications usually only distributed to the users who are supposed to have access?
>
>Do you interface with the network login and use that to authenticate or do you create a user table for the app itself?
>
>When using a back-end DB like Oracle, SQLServer, do you have the app connect in with a dba account and just handle rights and roles within your app?
>
>
>Most of the stuff I've done only required basic security, like rights to screens, running particular reports, tracking who modifed each record, etc. So I've written everything into the app itself. The only issue was being able to see passwords, but I have a basic work around for that. Since most have been desktop apps, they've pretty much stuck to VFP databases and the users needed to get into the tables "behind-the-scenes" anyway.
>
>I ask this because now I'm planning on creating a client/server version of one of my apps and would like to know how the experts handle this.
>
>
>Thanks for any comments, ideas, past experiences your willing to share on this.
>
>- Brian

Adding Application Security above Network Security only enhances stability!
I know I'm going to get beat-up about that statement.
Where mobile users are concerned, different users moving from workstation to workstation (as happens constantly on the shopfloor), User ID must be recognized on the Application level in order to establish security rights at that time. I do track the workstation (Network Login) along with the user ID for transactions and history of worker movement. It is not feasable to re-login to LAN for each user visiting a workstation.

You can have the best of both worlds - Workstation ID, LAN user ID, and Application user ID - for problem solving or other tracking purposes.

Establish a Network group to have access to the appropriate subdirectories on the server and add users to the group. Establish a Security Table - but store it as something other than a dbf (scx,frm, whatever). Create an encryption routine to jumble the password storage and unjumble for retreival.

Userlevel is a global variable established during Application login, and during that session all forms, reports, buttons, etc. refer to it! Establish a user password change screen for the end-user.

Of course, your application may not have highly mobile users, and the other suggestions to have only LAN user determinate could be better for you.

Ed B