Questions regarding external login

Hi, I had implemented some AAD/facebook login with some web/mobile apps. I am wondering why is it necessary to map these external users to Outsystem users?  What's wrong if I bypass the whole outsystem user entity and just use anonymous pages and local variables for role checking?


William Wong wrote:

Hi, I had implemented some AAD/facebook login with some web/mobile apps. I am wondering why is it necessary to map these external users to Outsystem users?  What's wrong if I bypass the whole outsystem user entity and just use anonymous pages and local variables for role checking?


Hi William Wong,

I didn't got any issue with this approach as of I am already using the same approach in one of mine project.

The entire project right now is for Anonymous & the Data comes via REST API from third-party server.

Only thing is you just need to create some manual module to maintain the user Login & Session.


But if there's something that your app gonna deal with Outsystem DB or Service then you must go via Outsystem, As of it also provide User Integration of third-party via AD or LDAP.

And remember You may not use the Actual Power of Outsystems by this approach. :) 

Thanks 


Hi William,

The benefit of using the OutSystems users is that you can use the OutSystems Roles (priviliges). Of course, you could all implement that yourself, but why would you want to?

Hello 

My thoughts / understanding wrt licensing. (Enterprise)

The OutSystems licensing includes a named User Count (the number of named users) on the platform. This means that even if you maintain your users outside of the platform one still needs to map them to users (symbolic - at least some id to map to your actual user) in OutSystems to honour the licensing wrt user count. If this is not done then I believe this is a violation even if this exceeds/ does not exceed  the license user count. 

If your web app/  mobile app is truly anonymous (no login/ authentication of any kind, internal or external)  then there is no issue of named users at all. 

Of course I believe you can exceed the users count if they are made inactive on the platform (so the active user count is still within the license limit). 


Regards

Amal 


Kilian Hekhuis wrote:

Hi William,

The benefit of using the OutSystems users is that you can use the OutSystems Roles (priviliges). Of course, you could all implement that yourself, but why would you want to?

Hello Kilian

If one chooses to not use the users of the platform and live with the disadvantages (like roles, authentication etc), is this a violation ?

In your experience, if one were to develop a B2C app with a lot of users and one chooses not to use OutSystems users, is it ok ?


Regards

Amal 


Amal Raj wrote:

Kilian Hekhuis wrote:

Hi William,

The benefit of using the OutSystems users is that you can use the OutSystems Roles (priviliges). Of course, you could all implement that yourself, but why would you want to?

Hello Kilian

If one chooses to not use the users of the platform and live with the disadvantages (like roles, authentication etc), is this a violation ?

In your experience, if one were to develop a B2C app with a lot of users and one chooses not to use OutSystems users, is it ok ?


Regards

Amal 


I would like to know too.


Best,

William Wong

Solution

Hi all,

As far as I'm aware, and as Amal pointed out, your license agreement limits the number of active named users (individual users that can login into the system at one given time). It doesn't matter if they are represented in the system's User entity or not.

As for why are external users mapped into User entity records... there are several reasons, the first and most immediate one is you'll leverage the power of the platform, no need to reinvent the wheel and come up with your homegrown access-control mechanisms. The second and equally important reason is that more often than not, your data-model will require a user concept (who updated this record, who is the manager of this employee, who does this profile belong to), so even when the user authentication is performed elsewhere, you still need to keep track of users within OutSystems somehow... the User entity is the simplest most standard way of doing so.

So you can come up with your own user concept... but you will be doing things that are already there, ready to use and supported by the tools to make your life as a developer simpler. And you will still have to abide by the license limits, whether this is automatically checked or not.

Solution

Hello,

I have a disagreement with few of the above comments 

a) Jorge Martins - "It doesn't matter if they are represented in the system's User entity or not." - 

b) Amal - "This means that even if you maintain your users outside of the platform one still needs to map them to users "

To me, it looks more like these are their own personal thoughts or opinion but not backed by OutSystems License Agreement.  Master Service Agreement located at https://www.outsystems.com/legal/master-subscription-agreement/ doesn't talk about any of these terms. Also, I don't find a clause which says you must use the 'Users' while you develop an application or any of the above statements. 

I am fully supporting the benefit of using OS Users. However, it is wrong to say it is a violation if someone doesn't want to use OS Users but some external means mentioned above. I may be wrong if you have access to some other documents which supports these statements. 




Jorge Martins wrote:

..., your license agreement limits the number of active named users (individual users that can login into the system at one given time)....

Hi Jorge,


So if one user does two logins to a single app, does this count  two times under this license?  How about single user one to the web app and the other one to a mobile app?  Does this count two?  

Sorry on my part didn't go through the docs before asking.


Hi Hus E,

I have a disagreement with few of the above comments 

a) Jorge Martins - "It doesn't matter if they are represented in the system's User entity or not." - 

To me, it looks more like these are their own personal thoughts or opinion but not backed by OutSystems License Agreement.  Master Service Agreement located at https://www.outsystems.com/legal/master-subscription-agreement/ doesn't talk about any of these terms.

Given that I am not an OutSystems employee, it is my opinion ("As far as I am aware") that I am sharing, not an official OutSystems answer. For that sort of guarantee, you should be contacting directly OutSystems and their licensing people.

As for finding the limitations to your license... the document clearly states these "specifications and limitations are set forth in the applicable Order." The limits are set in your specific contract with OutSystems. This typically will reflect on the license settings you have on your environment:On the description of this entry in the environment's License (found in Service Center, Administration section, Licensing sub-section) there is no mention to the Users entity. It only mentions "[Active] Named Users entitled to use the application", which can easily be interpreted as "any individually identified user entitled to use the application".

The number you see there is the number of User records in the system that have their Is_Active property set to True (and are thus able to login), because that is the information the platform can automatically determine. You can argue that that is the only meaningful value and that if you bypass the User entity altogether you are within the scope of the license. I choose to follow a more conservative interpretation until I have actual need to have a formal answer to this question, and it is exactly that that was sharing above.

Also, I don't find a clause which says you must use the 'Users' while you develop an application or any of the above statements. 

There is no such clause anywhere as far as I'm aware. Given my interpretation above, from a license standpoint it would be irrelevant whether you are using the User entity or not to represent your users.

Hopefully someone from OutSystems can provide a definite answer to the user limits license interpretation, but as for reasons to user the User entity... basically it makes your access control a lot simpler, it's built-in into Processes and used in platform logs as well. If you build your own implementation, you will loose these "freebies", but you will gain full control of everything.

Hi William,

So if one user does two logins to a single app, does this count  two times under this license?  How about single user one to the web app and the other one to a mobile app?  Does this count two? 

In my interpretation of the license, if you have different credentials (internal representations) for the same physical person or not, that would count as multiple users. If the credentials are the same (one single representation), and used in multiple applications, that is one user.

William:

1) when you buy a license, you get a formal and more complete contract. I don't remember the detail, but I would check it before doing something stupid that can invalidate your license. It may require a special contract.

2) Personal Environment is unlimited in Users, but it still recommends you don't go over 100 for performance. If you buy a cloud estimated for 100 people and somehow overused it up to 1000, the performance will be bad. No matter how good your workaround was implemented. Try to explain in your ticket that you need 3 more frontends to handle all the 500 users.


My personal point of view is that OS won't say that you can't because they don't have a way to see how many users you have.

But if your app is in the store with 4 million downloads or your CEO says on TV that you have 20k daily users in the site, you may get a phone call asking why your license is for 5k.


Hus E.:

To me, it looks more like these are their own personal thoughts or opinion but not backed by OutSystems License Agreement.  Master Service Agreement located at https://www.outsystems.com/legal/master-subscription-agreement/ doesn't talk about any of these terms.

When you use lawyer talk to validate the decisions of a software architect, something will go wrong. That document also doesn't mention that you can't exceed the number of Application Objects, so why not do it?

I remember when Software Units were the measure, a lot of projects had poor implementations to avoid the extra cost. That's why OS changed to Application Objects. But the number of Users affects performance.

Hus E.:

Also, I don't find a clause which says you must use the 'Users' while you develop an application or any of the above statements. 

Many times I imagine a Freemium model for apps. You do an app that works independently of the server. It downloads non-user-specific data and doesn't overload because nothing is uploaded. The FB login is only to get the name+photo and is only saved on the device. I'd say that is "fair use" and you don't need the User table. They are just trying. The moment users save data on the server, they must get a paid membership and should count because they will need a UserId somewhere.

But if your business plan is that specific, you could talk with OS in advance to see if you can make such contract instead of the regular one. Be nice to each other.

Nuno Reis wrote:

William:

1) when you buy a license, you get a formal and more complete contract. I don't remember the detail, but I would check it before doing something stupid that can invalidate your license. It may require a special contract.

2) Personal Environment is unlimited in Users, but it still recommends you don't go over 100 for performance. If you buy a cloud estimated for 100 people and somehow overused it up to 1000, the performance will be bad. No matter how good your workaround was implemented. Try to explain in your ticket that you need 3 more frontends to handle all the 500 users.


My personal point of view is that OS won't say that you can't because they don't have a way to see how many users you have.

But if your app is in the store with 4 million downloads or your CEO says on TV that you have 20k daily users in the site, you may get a phone call asking why your license is for 5k.


Hus E.:

To me, it looks more like these are their own personal thoughts or opinion but not backed by OutSystems License Agreement.  Master Service Agreement located at https://www.outsystems.com/legal/master-subscription-agreement/ doesn't talk about any of these terms.

When you use lawyer talk to validate the decisions of a software architect, something will go wrong. That document also doesn't mention that you can't exceed the number of Application Objects, so why not do it?

I remember when Software Units were the measure, a lot of projects had poor implementations to avoid the extra cost. That's why OS changed to Application Objects. But the number of Users affects performance.

Hus E.:

Also, I don't find a clause which says you must use the 'Users' while you develop an application or any of the above statements. 

Many times I imagine a Freemium model for apps. You do an app that works independently of the server. It downloads non-user-specific data and doesn't overload because nothing is uploaded. The FB login is only to get the name+photo and is only saved on the device. I'd say that is "fair use" and you don't need the User table. They are just trying. The moment users save data on the server, they must get a paid membership and should count because they will need a UserId somewhere.

But if your business plan is that specific, you could talk with OS in advance to see if you can make such contract instead of the regular one. Be nice to each other.

That document also doesn't mention that you can't exceed the number of Application Objects, so why not do it?

Hello Nuno, 

The platform enforces the usage of AOs as well as users (provided one uses the OutSystems users). 

There is no way of bypassing the AO's restriction. 

 

Also hoping someone from OutSystems team conclude on this post. 

Regards

Hi Amal,

"There is no way of bypassing the AO's restriction." - there are several ways to do so, but it's illegal and unethical, so I won't make anyone wiser.

Hello All,

I can see that the discussion is slowly slipping into AO usage from the 'User'.  I am totally in agreement with  Killian on his say on AO usage.

Having said that the question on the legality of 'User' part is till open. Hope someone from OutSystems team will conclude this post. 

Thanks once again to Amal, Nuno & Jeorge for sharing their opinions.

Hi,


Back to the user question:


User licensing is actually a legal/contract question vs the technical answer on how to do authentication against any specific provider.  You are actually welcome to use whatever method you want against any provider, there are benefits to each way that you choose.  Contractually, the license is based on named users.   Simply put, if you have a unique user name and password- that counts as a named user.  This is not impacted by how the user is authenticated.  


For a more formal definition of users:

Named Users and Anonymous Users - Named Users are human users that are registered and can log in to an application built on the software by a mechanism designed to provide such access. Named Users in the OutSystems Platform are licensed in packs (with the option to license Unlimited Named Users). At any point, the number of users that can log in to the applications cannot be higher than the maximum defined in the license. It is not possible to license an ad-hoc number of Named Users. Anonymous Users are human users that access the application but do not log in, only access public sections of the applications and whose identity is not known by the application, in any way, during the usage of the application. As soon as the identity of a human user is known by the application it will be considered a Named User for licensing purposes. The OutSystems Platform allows Unlimited Anonymous User accesses in its licensing.


Thanks,


Stacey

Hello Stacey,

Thank you taking effort to explain on the 'User' questions. I am in total agreement with the definition of Named Users. This was exactly in line with an older version of MSA available online. However OutSystems has taken out the word 'Named Users' from the latest version of MSA ( https://www.outsystems.com/legal/master-subscription-agreement/). 

So I believe there is no concept of 'named users'. If there is any public documents please share.

Thanks 

Hus E

Hi all,

I suggest we break this discussion into 2 parts:

  1. The license and contracts celebrated with OutSystems (including purchase orders) include a definition of what counts towards the licensed limit of Named Users. If you go back to Stacey's post, it should be clear what OutSystems consider to be a named user
  2. OutSystems has unlimited users licensing offers (contrary to most competitors) to accommodate customers that are looking to handle unpredictable user registrations and put more predictability into pricing, specially in B2C application deployment scenarios.

Now let's get to the point:

  1. Is there a way to workaround the user count mechanism? Yes there is. We know it! Same happens to AO (while harder), as stated by previous posters
  2. Can you do it? All contracts are signed in good faith and according to the term and conditions of the contract. The fact there is a way to work around it (from a technical standpoint) does not mean you can do it. If OutSystems suspects that misuse or contract breaches are happening, we will work in securing our interests
  3. Should you do it? No! We have had cases in the past where customers were taking advantage of this situation and once detected OutSystems canceled the contract with said customer.

Hope this clarifies the situation. To be honest, there is a rule of thumb you can use on this situation. Think about it if you worked at OutSystems, do you think you would see this situation favourably?

Let me know if you have any additional questions.

Well said. This is all legal territory, and developers should normally stay well away of it (or risk losing sanity :)), but it's a good thing to know the limitations of the contract your company has with OutSystems, and not inadvertently (or purposely) work around the limitations the contract states. For example, we have a customer portal that uses named users, without the customer being stored in the User Entity. We do monitor the Entity we use though, to make sure we're not going over the limit of our contract.