Users Espace clone

Users Espace clone

  

Hi there,

I have successfully cloned the users espace to build in my password policy with a centralised login.  The issue is now that the login for users espace is still available, so simple passwords can still be created.  How do I disable the users espace to not be available online as per the link below?

https://www.outsystems.com/ideas/1044/password-policy-settings

Hi Tjaart,

You can disable the application on the service center. Go to Service center > factory > applications, select users app and on the detail you have a disable button.

Regards,

Marcelo

Hi Marcelo,

Thanks for the quick response, this method will disable all the logic inside the users espace, I am merely asking for a solution that will disable the front end, ie the users interface.


is there a way too target just a single app, or is it an all-or-nothing thing? I have cloned users for 1 app only, and don't want to impact other apps.

Hi,

@Tjaart dont think is possible to disable just the front end. But if you clone it why don't you use the clone for everything?

@James the only thing you need to do is on that one app use the clone as user provider. This way the Users will work for all other apps and the clone will work for the espaces you change it.

Regards,

Marcelo

Hi Marcelo, 

The cloned espace is used to enforce our password policy and other security mechanisms that need to be centralised.  Ths issue is that most if not all forge components, make use of the server logic in the users module, so, simply disabling it would cause havoc.  One of our clients have done penetration testing on our system and they found that the availability of the Users espace to the public poses a HUGE risk, hence the request.  We are moving towards IP Locking the module, but this seems to be a challenge, in the short term we are looking at disabling the front end of users.

Solution

Hi,

You can disable the Users UI in ServiceCenter > Factory > eSpaces > Users > Tenants tab > Users (Default Tenant):
Set site property AllowWebAccess = false

Additionally, I think (although I haven't tried) that disabling the Users app (as suggested by Marcelo) will also work (consumer applications should continue to work, since they are using their own copy of the Users library, regardless if the UI app itself is disabled). 

Nevertheless, since you have a specific setting for this (the site property above), I'd use that method.

PS: I'd also recommend you share the penetration test issues with the support team (by creating a support ticket), so this can be improved in a future release.

Solution

Hi Paulo,

Thank you very much for the response, this was exactly what I was looking for