System Entity Restrictions

System Entity Restrictions

  
In Version 8 we were able to consume system entities such as "Espace", "Entity", etc.  However, now that we have upgraded to 9, we aren't able to consume these entities in new modules.  I'm getting the messsage: "You are not allowed to use the entity 'Espace'".  Is there a setting somewhere where I can turn on the ability to have read access to the system entities?
Hi Rebecca,

Those entities are still public in Platform 9 just as they were in the past.
Are you using Lifetime? If yes, what permissions do you have on the environment?
Also can you try to publish the module with a user that has the Administrator role?

I'm not sure how reference permissions to system entities work with the Lifetime roles (since the roles are granted to Applications, and the System does not show in Lifetime). I'll ask around tomorrow.

Regards,
João Rosado
yes,

it seems a bit strange. you can use/reference them in your service studio, but once deploying via lifetime the errors will popup :(

Hi again,

As promissed, I asked around and was told that the user making the stagings/publishes need to have "Open & Reuse" permisson on the "All Applications" for that environment.



Does that make sense with your permissions?

Regards,
João Rosado

The environment that I'm publishing to is set to "Change & Deploy".  No environments with "No Access".  I also tried with the administrator role with no luck.
Hi Rebecca - Did you eventually get this sorted?  I'd be really interested to know how if you did, having a similar issue with system entity 'Roles'.

Thanks
Andy
hi i had the similar issue with referencing "Group" and "Group_user" entites.

I am not able to reference saying permission error.


any steps would be appreciated.

Thanks
Kiran
Hi Kiran,

You need the "Change & Deploy" permission for "all applications" in order to reference the "Group" and "Group_User" entities. As an administrator from your environment you should be able to do it.

If you are having security errors has an administrator?

Lúcio
Hi, We have the same issue.
I downloaded a solution from forge, and tried to make 1-click publish, and I have got huge amount of errors like that: Required Permission You are not allowed to use the Entity '....'.

Can outsystems fix it asap?
Please check my answer to this topic in this thread

In short, it's a security feature that is being reconsidered as it was causing a lot of surprise and misunderstanding.
Hi Ricardo,

Not judging the merit of the security feature, let me suggest that this was not transparent to the user, hence, it caused confusion.

Cheers
To anyone that is having this error. Can you tell me the exact version you are using from ServiceCenter and lifetime?

Thanks,
Lúcio
We have 9.0.0.23 platform. How to I check lifetime version?  We might have had support send us an update but I can't remember.
Hi Rebecca,

I know you can look for LifeTime by going to Service Center and checking in Factory | Solutions.
By the way, why not having these important versions information easily accessible in one single place?
In the solution it just says version 9.0.0.23 ... same as the server.  I assume it was only updated with the platform upgrade.  As for maintaining versions I usually rely on versioning in lifetime since we are supporting 10+ applications and are quickly adding more.  I usually only check platform version and service studio version.
Hi,

This was a design decison made some time back, and the rationale behind it was that system tables usually contain more sensitive information. As such, in order to prevent misusage of that data, one would require very high privileges (Administrator) over the environment (and, as a side effect, over all applications) in order to first publish a module referencing system entities.

We have reviewed and changed this behaviour so that, in order to first publish a module referencing a system entity, the user only requires "Change & Deploy" on the environment.

This change will be available in GA for 8.0.1.x and in RC for 9.0.1.x. These versions will both be available in the beginning of July 2015.


If you are an Administrator over the environment and this is still not working, you might actually have another problem, one related with synchronization. In that case, I would kindly ask you to contact support, so that they can help you trobleshoot the problem.

Hi,

May I know how to restrict developers from accessing System Entities via Lifetime?

How should the permissions be set?

Hi J.S.

Could you provide more details regarding the scenario that you are trying to achieve, so that we can help you further? 

Hi Ricardo,

My main concern is that developers from one application team may develop a program that alters the users/roles of other application team residing in the same environment (this is just one instance of my concern).  There are also other sensitive system entity tables and hence I wanted to find out if it is possible to limit access to the system entities.  

Rgds.

According to the thread above, use a permission that is LESS THAN "Change & Deploy".

J.Ja

Hi Justin,

I tried layering the permissions.  Granted a role with only 'Reuse & Monitor' permission in the environment.  Then tagged this role as a default role to a developer.  Subsequently, created an application to which I granted 'Change & Deploy' to the developer account. However, this did not work as the account is still able to reference to the system entities.

Rgds.

Yes, because you granted "Change & Deploy" which allows that developer to access System Entities.

J.Ja

Hi Justin,

However the developer is supposed to be able to carry out changes and work on that application.  Hence, I granted 'Change & Deploy' permission at the application level to the developer.  However at the environment level, the developer is only granted 'Reuse & Monitor' permission for all the other applications. 

If the above permission layering is wrong, how should it be done?

Rgds.

Hi J.S.,
Hi Justin,

Currently, the LifeTime permission model is not granular enough to allow one to only limit the access to system entities. We will consider this feedback in the future.

However, there is a way to almost overcome this limitation:

  • Create the developer with "List" permissions over the environment (default role)
  • Add explicit "Change and Deploy" permissions for the app (or set of apps, via team) the developer needs to change

(check attached file for example)

In doing so, the developer will only be able to see the data of the system entities that are already present in the app, i.e. the ones that have already been referenced by other developers who published the app first, meaning the developer won't be able to see anything if there are no system entities. With these permissions configured, the developer won't be able to add any new system entities, as that requires Change & Deploy privileges over the environment.

I know this is not a perfect solution, but it should be enough to solve this specific problem.

Kind regards,
Ricardo Marques