Can I create a role dynamically in outsystems

Can I create a role dynamically in outsystems

  

The requirement of my application is such that I need an admin UI which should allow creation of roles. I wanted to know if its possible to give this facility to the end user to create roles at run time?
Also wanted to check what would be the value of "ss_key" column if I create a role dynamically? What exactly doess ss_key signify?

Hi Akhilesh,

It is not possible to create platform roles at runtime. Roles are related to low-level access control mechanisms and can only be created during development.

You should implement part of your access control mechanism with custom code if you need that.

What is the exact requirement? A possible approach may be using the platform roles as a functional-oriented (CanCreateInvoice, CanApproveInvoice, CanIssueReceipt,..) roles and use Groups (or another application-level entity) to define sets of roles that will be assigned to the users.


Cheers,

Tiago.


Hi Akhilesh Bhatia,

Roles in OutSystems are application-specific. Although it seems possible to dynamically create them (the Role entity is available and exposed read/write) you still would not be able to use any of the built-in functionality of the platform to check whether users have the roles or not. Can you further explain your requirements? What would those dynamically created roles be used for?

As for the SS_Key attribute stores information about the Service Studio version that was used to create the record (if memory doesn't fail me).

The end user (admin in this case) should be allowed to create a role from the UI. The usage of role is in terms that on the basis of the role, the user would be able to access the specific web screens (which we are calling stages in our application).

I guess, we will have create some custom tables which can be used for access control in the preparation of each of these web screens. Please correct me if I am wrong

You could 

1. Create a different OutSystems Role for each web screen (or set)

2. Have the admin create whatever Groups they thought necessary

3. Allocate the Roles to Groups

4. Allocate the Users to Groups (giving them access to the desired screens)

You can have as many Roles and Groups as you like, with a slick interface it would be manageable.


Akhilesh Bhatia wrote:

The end user (admin in this case) should be allowed to create a role from the UI. The usage of role is in terms that on the basis of the role, the user would be able to access the specific web screens (which we are calling stages in our application).

I guess, we will have create some custom tables which can be used for access control in the preparation of each of these web screens. Please correct me if I am wrong

You can do that by using the Roles as low-level access to screens / actions and Groups to define sets of roles and assign them to users.

This can be done trough the Users application or in your own application as Groups can have custom management. Please check Organize Roles in Groups and Customizing Groups.


Cheers,

Tiago.



Hi Akhilesh,

Though you are able to create roles dynamically, how will you relate those roles on screens dynamically.Suppose through your UI you create RoleA, RoleB and RoleC, there is no way to tell that RoleA people will able to access particular screens and RoleB and RoleC will access some other screens.

You should create roles in the application and specify in application which role can access what screens. After that as mentioned above, you can add those roles to groups and add users to that group.

If you want to give some part in AdminUi for users, there you can implement where Admins will be able to add/remove users from particular group.

You can use GrantRole and RevokeRole functionality to add/remove in that particular role.


Thanks and Regards,

Suraj Borade

Hi Suraj,

I am not sure if you still have a question?

Anyway in the extreme, as I mentioned before, you could create a Role per Screen

ScreenA : RoleA

ScreenB : RoleB

ScreenC : RoleC

And set the screen access to the exact role of the same name setting up a 1:1 relationship between screen and role.

Then the rest is easy either using the OutSystems provided UI or providing your own UI so that an application administrator does not necessarily have direct access to the OutSystems User app.

All of the User, Group, Role tables are open to direct manipulation for you to be able to do that, you don't necessarily have to use the Grant and Revoke actions you can directly add rows to the correct tables and achieve the same thing.

Keith


Akhilesh Bhatia wrote:

The end user (admin in this case) should be allowed to create a role from the UI. The usage of role is in terms that on the basis of the role, the user would be able to access the specific web screens (which we are calling stages in our application).

Access to Web Screens is configured design time, when you check the boxes after the Roles per Web Screen:

Even if you could create roles on the fly, you still wouldn't have the functionality you need.

That said, I think you have your user/role administration upside down: each Screen or set of Screens should define the proper Roles for them, and per User, or per User Group, you define what that user is allowed to do. There is absolutely no need to dynamically create such Roles.