[Reactive Web] Differentiating between Role and Permission

Our company is new to Outsystems and we're going to be using the Reactive Web platform. We are still defining our enterprise architecture and how we're going to make use of Outsystems.

Currently, our plan is to have Roles and Permissions be two different concepts. Roles are an overall category defining what the user is (i.e. Customer, Manager). Permissions are specific elements of functionality to further restrict the role (i.e. CustomerA has access to the Customers screen but with the "read only" Permission, while CustomerB has access to the Customers screen but with the "read update" Permission).

I have the Roles down without any issue. However, for our Permissions we want to store them in an external database. We're using microservice architecture, so I have an exposed REST API that does the task of retrieving the list of permissions for the given screen and logged-in user under the web block fetch data at start action. It technically works, but it's slow. The screens are rendering before the permission list can be retrieved so elements are being enabled for permissions that should be disabled long enough to be clickable (i.e. a "read only" user can click on an Update button after the screen renders but before the content renders and their permission is checked).

My question is just a generalized one for the topic. How would you handle retrieving a list of permission for a user from an external database efficiently/quickly? While my current status technically works, I highly doubt I implemented it correctly. I think I need to handle permissions before anything else, but I can't seem to figure out how. I've tried to "pre-load" the permissions after login and pass the list around in my navigation, but I can't use lists as input variables on my screens/blocks so the flow is a dead end. I'm open to any suggestions.

Hi Joseph,

To implement that purely in OutSystems I would use roles (working as the permissions you are mentioning) and Groups (inside the Users app) as the roles you need. Groups are associated with a set of Roles and you can change them at runtime. These could be synced with an external database. 

Historically Service Studio roles were called Permission Areas but that would lead to excessively complex permission systems, so although they now lead into more direct and simple designs they still keep the versatility. 

Just make sure you do need so much complexity (that was often requested in systems that were harder to change), as often that becomes pretty hard to manage and it’s easier to think about who will be using the apps and what for while designing them. 

Maybe others can give different perspectives and advice.

Cheers,

Tiago Simões

Thank you Tiago. I was able to implement using Groups and Roles. However, my issue of slowness still exists. Please allow me to further explain my setup.

In our application, we have 6 different modules. In the Home module, we are using the LayoutSideMenu layout. In the Menu block, I have URL redirects to each of the modules as menu items. The list of menu items needs to be dynamic based on roles. For example, the Administration item is only visible to the Administrator role. To check roles, I have a Fetch Data Action on the Menu block that is set to execute at start. The action does the appropriate Role checks and sets the block variables used by the flow If statements to set visibility of the menu items.

Again, the process does indeed work. It's just too slow. It takes anywhere from 1700-2800ms for just 6 roles/menu items. All of the main content renders and then a second or two later, the menu items show up. 

I know I've got to be doing something wrong, I just can't figure out what. If it helps any, I've attached the oml of my Home module.


**EDIT**

I realize the above isn't exactly on-topic. I've been playing more with the Permissions and I think I have them in an acceptable state now. The menu is still a slow load, but I'll continue to play with it. If I remain stuck, I'll open a new thread specifically for it. Please feel free to chime in which any suggestions in the meantime, though. 

Hi Joseph,

To speed things up you can use the cache of the roles on the client side https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/JavaScript_API/Security

We do not have these as low-code primitives because developers need to understand that all code on the client side can be tempered, so the check of roles should always be done also on the server side, either by setting the roles on the screens (which will automatically propagate to all aggregates and server actions done by that screen) or/and on a more central location by using the server-side check roles (e.g before saving data to the database, which is often the most critical part).

Another place where the check of roles can be done is inside the aggregates, specially if you have a screen that shows different data to different roles.

But if you have that covered, you can use these JS calls to speed up things that will be used often.

The menu seems like a good place to do that. 

Hope this can help.

Cheers,

Tiago Simões

Solution

Just one more thing, you would need to do those check on the OnInitialize o that block, as explained here:

https://www.outsystems.com/forums/discussion/37920/role-based-menu-and-homescreen-in-mobile/

Solution

Thank you Tiago. I will read through and see what I can do. Being new to the platform, we still have A LOT of "best practices" to learn. I appreciate the help.

Just following up to say that the last two posts from Tiago did the trick perfectly! Thank you so much, Tiago!

Cool.

The trick here is that although reactive web is very new, and we are all learning it, it is also based on the same underlying technology that powers mobile apps.  

So often searching forums and forge for mobile can lead in the right direction.