Outsystems Users Application restrict access to an Internal Network

Priya Naveen

Question

Configure an Internal Network

When you define an internal network for a specific OutSystems environment, it will affect the access to the following tools:

The Service Center console of the environment
The LifeTime console of the environment, if the environment where the configuration was applied is a LifeTime environment
Connections from Service Studio, Integration Studio and OSP Tool to the environment
System Components that are meant to be used by the development tools, like RESTDevService.

users app is not part of it, https://<environment_address>/Users to Internal Network only

we want outsystems default user's app to be part of the above, internal network access only (ip whitelisted)

21 Aug 2025

Thibaut G

Hi,
I had the same requirement and got the following reply/solution from the Outsystems Support Team:

" Thank you for contacting Outsystems support.

We understand that you are trying to find a way to make the users application internal only.

As the application is a protected module, there isn't a way to make the screens internal access only.

The internal network configuration will not be applied to the Users module thus it would still be accessible once the configuration is enforced. The rationale behind the "Users" application to not be set as Internal Access Only as the other Management Console apps, is because in the past "Users" was the login page for all the applications that were deployed in the Platform. This was designed this way to avoid unnecessary logic and layouts, however, as the platform evolved this has changed. Nowadays, we understand that reality has changed, however, changing this parameter for the User application would introduce breaking changes that would affect other customers who have requested the "Configure Internal Access" service.

That said, we believe we have a workaround that will suit your needs. To deny access to the user web application while still maintaining the created users and have a console to manage them (add, modify, delete users, roles, groups), we recommend the below steps:

Download and publish the "User Management" (https://www.outsystems.com/forge/component-overview/5583/user-management) application from Forge.
Manually configure the "User Management" application to have Internal Access Only set to Yes on all flows.
Disable access to "Users" by setting the User's Tenant property "AllowWebAccess" to False. To accomplish this:
1. Access the "Users" module under the Service Center:
2. Access the tab Tenants and then select the "Users" (Default Tenant):
3. Edit the Site Property - AllowWebAccess:
4. Set it to False and Apply the change:

After performing the above procedure, the "Users" application will not be accessible anymore.

However, all the applications will still use the Users' User Entity and, as such, there's no need to migrate the users' data. Additionally, to manage the end-users, you can use the "User Management" application for the effect, where you can add, modify, or delete End-Users, their Roles, and Groups.

If you don't want to use the user management, you can try a similar workaround by creating a clone of the Users application instead.

Please let us know if the above information clarified your questions.
"

Kind Regards

Thibaut

22 Aug 2025

Sérgio Miranda

Staff

Hello,

If the environment is in a self-managed infrastructure, you can install the IIS feature "IP and Domain Restrictions" in your front-end servers and use that in the Users module to restrict requests by the source IP.
You might also be able to apply that restriction at a reverse proxy level.

22 Aug 2025

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines