Hello All,


Currently my app has several roles created, and now I would like to display different buttons on the screen only to some specific users without adding additional role in user management. Is there a way of achieving that like for example, how to limit it to specific userID(s)? 


Scenario: User A and User B have same 'Programmer' role in User Management. But now I would like to only display certain buttons to user A who belongs to Team A, not displaying to User B who belongs to Team B.

Hi

For this you need to check your own logic whether if User A belongs to Team A(Group) then you can display link something like that

Hi ZQ,

One option I see is you can creat role and assigned it to a group and than assigned that to the user.

when you assign the group to the user the roles within the group will automatically assigned to the user and thus you can restrict the control access to your buttons.


Regards,

-PJ-

Hi Salman and PJ,


Do you mean like this: create a new Role e.g. TeamA, then assign TeamA as a group for User A in User Management? Is that correct for the understanding? :)


If that is correct, can i ask how can i validate whether if the user belongs to TeamA in my app? Is it something similar to the GetUserId() or CheckRegisteredRole(UserId:)?

Hi ZQ, 

The idea here is to first create a group and assign role to the group and than add user to the group .

This way you dont need to assign each role to individual users rather the new role will be automatically associated with user via group.

Now you can check this by Checkrole method for any specific role , this checkrole method will be available for all the roles you create in the espace.



Regards,

-PJ-

Hi ZQ,

In Outsystems their two way to do it - 

1) Assigned & managed Roles from User module.

2) Assigned Roles from Outsystems code.


In your case, assigning roles from user management is look suitable and you can see roles in Roles in service studio. Now what you need to do 

  

Put all buttons in the separate containers you want to display based on roles, then assign display property of the container based on role. Below is one example

SyntaxEditor Code Snippet

CheckBankAPIUserRole(UserId:)

If that user has the role then it will able to see that part of buttons assigned to that roles.


I suggest container bt you want then you assign this condition directly to buttons.

Regards,

Rajat Agrawal



Hi ZQ,

There are three main concepts in outSystems when it comes to Authorization:

  • User - individual logged-in end-user of your application. Created at runtime (usually via the /Users app)
  • Role - permission that a user may have. Statically created by the developer at design-time, can be granted or revoked at runtime (usually via the /Users app)
  • Group - set of Users that share a set of Roles. Created and managed at runtime (often via the /Users app)

If you want to display/hide elements based on teams, you likely want to use Groups:

  • If the number of teams is pre-determined (there's only going to ever be small set of teams, like A and B), you can do as suggested and:
    1. Create a Role for each team that you will have;
    2. Use that Role to decide what to display or hide (using the Check*Role role actions), and;
    3. Assign that role to a group that has all members of that team (using the /Users app)
  • If the number of teams is dynamic, you can still use the Group concept the same way, but:
    • You still manage your Users and Groups using the /Users app, adding the team members to different groups, but you don't need to assign a specific different Role to the each Group;
    • In your code you use an Aggregate to check if the user belongs to the right Group in order to decide what to display or hide
      • Group, User and Group_User are system entities that you can reference from the OutSystems meta-model.
    • The key consideration here is that since Groups are created and set at runtime, your data model needs to allow determining what is the right group to check against (e.g. If a product  was added by a member of a certain team, then only members of that team can make changes to that product).

Hope this helps!

Jorge Martins wrote:

Hi ZQ,

There are three main concepts in outSystems when it comes to Authorization:

  • User - individual logged-in end-user of your application. Created at runtime (usually via the /Users app)
  • Role - permission that a user may have. Statically created by the developer at design-time, can be granted or revoked at runtime (usually via the /Users app)
  • Group - set of Users that share a set of Roles. Created and managed at runtime (often via the /Users app)

If you want to display/hide elements based on teams, you likely want to use Groups:

  • If the number of teams is pre-determined (there's only going to ever be small set of teams, like A and B), you can do as suggested and:
    1. Create a Role for each team that you will have;
    2. Use that Role to decide what to display or hide (using the Check*Role role actions), and;
    3. Assign that role to a group that has all members of that team (using the /Users app)
  • If the number of teams is dynamic, you can still use the Group concept the same way, but:
    • You still manage your Users and Groups using the /Users app, adding the team members to different groups, but you don't need to assign a specific different Role to the each Group;
    • In your code you use an Aggregate to check if the user belongs to the right Group in order to decide what to display or hide
      • Group, User and Group_User are system entities that you can reference from the OutSystems meta-model.
    • The key consideration here is that since Groups are created and set at runtime, your data model needs to allow determining what is the right group to check against (e.g. If a product  was added by a member of a certain team, then only members of that team can make changes to that product).

Hope this helps!

Hi Jorge,


Thanks for the advice!  But there's one thing I dont quite get it, which is - How should i check if the user belongs to the group? I know that we can check for normal users using CheckRegisteredRole().


Solution

ZQ wrote:

Jorge Martins wrote:

  • In your code you use an Aggregate to check if the user belongs to the right Group in order to decide what to display or hide
    • Group, User and Group_User are system entities that you can reference from the OutSystems meta-model.

Hi Jorge,


Thanks for the advice!  But there's one thing I dont quite get it, which is - How should i check if the user belongs to the group? I know that we can check for normal users using CheckRegisteredRole().

Hi ZQ,

Check the emphasised tidbits above:

  • You add references to Group_User and Group entities - from (System)
  • You create an Aggregate, drag User, Group_User and Group entities inside (they should all "auto-magically" join together, as there are reference attributes that connect them)
  • You add the filters needed (for instance filter based on the Group's Name property and the logged-in User's Id property)

If your Aggregate returns any record, there was a match.

Hope this further clarifies!

Solution

Jorge Martins wrote:

Hi ZQ,

Check the emphasised tidbits above:

  • You add references to Group_User and Group entities - from (System)
  • You create an Aggregate, drag User, Group_User and Group entities inside (they should all "auto-magically" join together, as there are reference attributes that connect them)
  • You add the filters needed (for instance filter based on the Group's Name property and the logged-in User's Id property)

If your Aggregate returns any record, there was a match.

Hope this further clarifies!

Hi Jorge, 


Yes your explanation does clarify my concern. Thank you so much!