1017
Views
11
Comments
Can I create a role dynamically in outsystems
Question

The requirement of my application is such that I need an admin UI which should allow creation of roles. I wanted to know if its possible to give this facility to the end user to create roles at run time?
Also wanted to check what would be the value of "ss_key" column if I create a role dynamically? What exactly doess ss_key signify?

Champion
Rank: #336

Hi Akhilesh,

It is not possible to create platform roles at runtime. Roles are related to low-level access control mechanisms and can only be created during development.

You should implement part of your access control mechanism with custom code if you need that.

What is the exact requirement? A possible approach may be using the platform roles as a functional-oriented (CanCreateInvoice, CanApproveInvoice, CanIssueReceipt,..) roles and use Groups (or another application-level entity) to define sets of roles that will be assigned to the users.


Cheers,

Tiago.


mvp_badge
MVP
Rank: #19

Hi Akhilesh Bhatia,

Roles in OutSystems are application-specific. Although it seems possible to dynamically create them (the Role entity is available and exposed read/write) you still would not be able to use any of the built-in functionality of the platform to check whether users have the roles or not. Can you further explain your requirements? What would those dynamically created roles be used for?

As for the SS_Key attribute stores information about the Service Studio version that was used to create the record (if memory doesn't fail me).

Rank: #25417

The end user (admin in this case) should be allowed to create a role from the UI. The usage of role is in terms that on the basis of the role, the user would be able to access the specific web screens (which we are calling stages in our application).

I guess, we will have create some custom tables which can be used for access control in the preparation of each of these web screens. Please correct me if I am wrong

Champion
Rank: #336

Akhilesh Bhatia wrote:

The end user (admin in this case) should be allowed to create a role from the UI. The usage of role is in terms that on the basis of the role, the user would be able to access the specific web screens (which we are calling stages in our application).

I guess, we will have create some custom tables which can be used for access control in the preparation of each of these web screens. Please correct me if I am wrong

You can do that by using the Roles as low-level access to screens / actions and Groups to define sets of roles and assign them to users.

This can be done trough the Users application or in your own application as Groups can have custom management. Please check Organize Roles in Groups and Customizing Groups.


Cheers,

Tiago.



mvp_badge
MVP
Rank: #2

Akhilesh Bhatia wrote:

The end user (admin in this case) should be allowed to create a role from the UI. The usage of role is in terms that on the basis of the role, the user would be able to access the specific web screens (which we are calling stages in our application).

Access to Web Screens is configured design time, when you check the boxes after the Roles per Web Screen:

Even if you could create roles on the fly, you still wouldn't have the functionality you need.

That said, I think you have your user/role administration upside down: each Screen or set of Screens should define the proper Roles for them, and per User, or per User Group, you define what that user is allowed to do. There is absolutely no need to dynamically create such Roles.


Rank: #4111

Hi Killian,

We want to have control on role level access of screens. Which system table store Role to Screen mapping. We want to avoid deployments and want to control role to screen access from backend.

Best Regards,

Nitin

mvp_badge
MVP
Rank: #2

Hi Nitin,

The direct answer to your question is: there is no system table that stores the Role to Screen mapping. The Screen's Roles are compiled into the code, there's no way to alter them runtime.

That said, I think you want to go about it the wrong way. You don't want to modify Screen Roles dynamically, you want to assign Roles to Groups or Users dynamically. If there's a certain Role, say "CanEditSecretData" that is mandatory for Screen "EnterSecretData", and you want a group of users that have the EnterSecretData Role to no longer be able to use the EnterSecretData Screen, you would remove the EnterSecretData Role from the users (either directly or via a Group they are part of), not remove that Role from the Screen!

Rank: #4111

Thanks Kilian!

Yes we were going by wrong way.

We are getting higher level roles like Admin, Viewer, Approver etc. from Auth provider(OKTA). We were thinking to create same roles in OutSystems application. But this point came, when role Viewer will get access to edit screen. So possible solution would be-

1. Create OutSystems application roles like - Add, Edit, View etc. and map it with OKTA roles(Admin, Viewer etc.) received.

2. Create OutSystems application roles same as OKTA roles(Admin, Viewer etc.) and create Access Control List (Add, Edit, View, Delete, Approve etc.) table.

Create mapping table for Roles  and ACL.

Best Regards,

Nitin

Rank: #392

You could 

1. Create a different OutSystems Role for each web screen (or set)

2. Have the admin create whatever Groups they thought necessary

3. Allocate the Roles to Groups

4. Allocate the Users to Groups (giving them access to the desired screens)

You can have as many Roles and Groups as you like, with a slick interface it would be manageable.


Rank: #140

Hi Akhilesh,

Though you are able to create roles dynamically, how will you relate those roles on screens dynamically.Suppose through your UI you create RoleA, RoleB and RoleC, there is no way to tell that RoleA people will able to access particular screens and RoleB and RoleC will access some other screens.

You should create roles in the application and specify in application which role can access what screens. After that as mentioned above, you can add those roles to groups and add users to that group.

If you want to give some part in AdminUi for users, there you can implement where Admins will be able to add/remove users from particular group.

You can use GrantRole and RevokeRole functionality to add/remove in that particular role.


Thanks and Regards,

Suraj Borade

Rank: #392

Hi Suraj,

I am not sure if you still have a question?

Anyway in the extreme, as I mentioned before, you could create a Role per Screen

ScreenA : RoleA

ScreenB : RoleB

ScreenC : RoleC

And set the screen access to the exact role of the same name setting up a 1:1 relationship between screen and role.

Then the rest is easy either using the OutSystems provided UI or providing your own UI so that an application administrator does not necessarily have direct access to the OutSystems User app.

All of the User, Group, Role tables are open to direct manipulation for you to be able to do that, you don't necessarily have to use the Grant and Revoke actions you can directly add rows to the correct tables and achieve the same thing.

Keith