what is the best way to check roles.? RBAC
is writing logic to checkRole based Getloggedinuser id inside onApplicationReady systems event of reactive web app , is it a best practice?
because calling server actions from screen life cycle events is not best practice. and checking roles in data actions is there will some time widgets may appear which shouldn't supposed to be. and repetitive logic in all screens.
Hello @Priya Naveen ,
For Data Actions
Data actions are executed right at the start of a screen’s lifecycle, before the UI is fully rendered plus it is handled in the server side which is more secure. So if you perform the role check inside a data action and store the result in a local variable (like IsAllowed), you can safely use that variable in widget visibility conditions. Since the data action completes before the UI finishes rendering, the widgets that depend on that value won’t briefly appear and then disappear the visibility is handled cleanly from the start.
For Lifecycle Screen Actions (OnInitialize)
While OnInitialize is good for client-side setup logic, it’s not best practice to call a server action from it just to check a user’s role just like you mentioned. Doing so can slow down the initial load. That’s one of the main reasons why we usually handle role checks through data actions instead. Adding that if you used something instead of on initialize like on ready after the DOM is rendered still you are using server side check in the client side might not be the best thing to do.
For Application Events (OnApplicationReady)
OnApplicationReady runs once when the application is loading (in the loading screen), so it’s mainly suited for global initialization tasks. It’s not ideal for per-screen role checks since it doesn’t output values you can directly bind to widgets, and if you rely entirely on it, you may end up with stale data if roles or permissions change during the session. It can also slow down the app’s first load if the logic inside it is heavy.
So in my opinion for screen-level role checks, handling them inside a data action and binding the results to widget visibility is a clean and efficient approach.
Hello,
Adding to what Sherif said, you can you OutSystems Javascript APIs to check user roles as per OutSystems documentation:
https://success.outsystems.com/documentation/11/reference/outsystems_apis/javascript_api/role_check/
This check is a client side, so you can use it for show or hide some UI widgets but for performing server side operation please use server side actions to check roles as per note mentioned at the top of documentation
Hi @Priya Naveen ,
Best Practice Summary – Role Checking (RBAC)
Do not use OnApplicationReady for role logic — it’s not meant for authorization and can cause unnecessary server calls.
Always enforce roles on the server side:
Protect entire screens using the built-in Screen → Roles property.
Add server-side role validation in server actions that perform sensitive operations.
For UI visibility:
Use OutSystems’ checkIfCurrentUserHasRole() action inside dataaction to show/hide UI elements (not for security).
Centralize the logic:
Initialize user role flags once (e.g., in the Layout or a global initialization flow).
Store role flags in client variables to reuse across screens and avoid flickering UI.
Avoid duplication and flicker:
Bind widget visibility to preloaded role flags (Visible = RoleFlagsLoaded and RoleFlags.IsAdmin).
Regards,
Manish Jawla