This project has moved. For the latest updates, please go here.

Is the web version of the openPDC Manager still maintained?

Jul 10, 2013 at 9:02 PM
Edited Jul 10, 2013 at 9:35 PM
I can't find the install files in the binary download and the projects in the source seem to be excluded from the solution. Is this still usable?

EDIT: Just saw a past discussion that said the web version has not been maintained. I would like to bring up a security concern with the current openPDCManager application then. Let me know if I am thinking about this wrong, but it seems that in order to have openPDCManager work, it needs direct access to the openPDC database. Either the connection string will have to use integrated security and the user running the manager will have to be given read/write access to the database or a connection string using database security will have to be stored in the config with the user/password in it. In the former option, the user's account will have access to the openPDC database rendering security application roles meaningless. In the latter option, the connection string containing the username/password combination for the openPDC database will have to be in the config file which the user will need read access too in order for the openPDC manager to work. This will give the user access to the database and, again, render application roles meaningless. It seems to me that using the web version, or even a wpf version that used data services to access the database would solve this problem as the user account running the openPDC Manager wouldn't need direct access to the database and the connection string would only need to be placed on the server where only administrators would have access to it.
Coordinator
Jul 11, 2013 at 9:19 PM
Hello dgregan,

Yes, you are correct. Out of the box, the openPDC uses a fixed security model where all users have generic read/write access to all tables in the database whether they need it or not. Many of our recent changes have been to improve the security of the system, and this is on our radar. However, you can manually create database roles and assign AD groups or users to them to control access (which is basically what we will be doing as we improve the security for 2.0). Also, it's important to note that our planned security enhancements will only apply to SQL Server.

Thanks,
Stephen