OutSystems Role-Based Security (on Screen)

Imagine you have the following scenario. You are building a mobile or reactive web application. You have a page that any registered user can enter, but only certain users can see some fields or do some actions. Well, what you can do in terms of security are 2 steps.

  • Do a client role check to be able to show some information or allow some action.
  • Do server role check to be able to allow or not some server-level action.

Client role check

The client role check is used to programmatically show or hide UI elements depending on a given role. Let’s say we have the following roles: Client, Employee, and Manager.

You can use some methods to do client-side role checks. For this, it is necessary to use the checkIfCurrentUserHasRole function. This function checks if the current user has the given role and returns true if he has it and false otherwise. To use it programmatically, if we only want the Manager and Employee to see some UI element we can use the checkIfCurrentUserHasRole function as follows:

$parameters.CanSee =
$public.Security.checkIfCurrentUserHasRole($roles.Manager) ||
$public.Security.checkIfCurrentUserHasRole($roles.Employee);

The way you can best use this function can be by setting it in OnInitialize. By doing this, you can see whether the user is allowed to see the UI element, and then assign that value to a local variable. Since it is not possible to directly call the check role server action, we instead use the JavaScript statement to check the roles. This way everything still works even if you are offline, and it will be much faster than a server check role (used in a wrapper).

You can also create a function from a client action to verify the role.

This way, we can use this function directly in any part of the page or logic on the client-side.

Server Role check

But since you should never rely only on client code for security, you must repeat those role checks on the server-side. So, for all server calls that you make, these actions must have server role check actions to see if that user is allowed to execute that action. For that, you should use the built-in function available. This function, which is automatically defined by the platform, is Check<role_name>Role. This is a server-side logic that cannot be used on the client-side.

Corollary

Using these two validations, you can determine and enforce at the screen/action level who sees a UI element or who performs a specific action. And then ensure that any action that is performed by the user is checked on the server-side. This way, you ensure that you have a more secure and sound application.

Source: 
OutSystems Security Documentation (and Forum in general)
Feature toggle in OutSystems

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s