Hi, 

One Architecture Best Practice is to use Access Control List (ACL) to set up permission-based access to data:

Please let me know what you think about it considering the following questions:

  1. What's your opinion about this best practice?
  2. Have you already applied it in a real project?
  3. If so, what were the main advantages compared with other approaches?
  4. If not, can you share why?

I am very curious about this topic and would really appreciate your feedback.

Cheers,

João

Hi João,

  1. What's your opinion about this best practice?

    OutSystems supports RBAC (role based access control). There is no any other out of the box ACL policy on the platform. So, the practices mentioned should be considered the best/only rule of the game. However, I would suggest to also have a look at Permissions in OutSystems.


  2. Have you already applied it in a real project?
    Yes. It's recommended to know about the permissions vulnerabilities.

  3. If so, what were the main advantages compared with other approaches?
    Can you be specific with other approach? RBAC is the only supported policy.

  4. If not, can you share why?
    N/A


To feed your curisity, here are some of the ACL examples in action.

Regards,

Swatantra

Hi Swatantra,

First of all, thanks for your feedback.

Point 1

The extreme approach shared by Filipe Morais on his article "Go granular or go home!" is very interesting and presents an effective and elegant way of using roles and groups to manage permissions although it doesn't implement ACL as described previously.

As he points out:

"With granular permissions, you just add a new group and associate roles... This alone should be reason enough to use granular permissions: functional roles will cost your project THOUSANDS if a new role is needed."

...

"Now we can authorize any user or group to edit the customer in a number of different ways. This would be impossible with functional roles."

Note however that this approach might be rejected in a factory that doesn't allow the development team to use groups.

Point 2

Thanks for sharing the link about Access Control and I would also recommend the following:

Although it doesn't cover the ACL topic, it describes the recommended actions to deal with common access control use cases with OutSystems Platform.

Point 3

Being more specific with the 3rd question: 

  • If you already implemented ACL (Access Control Lists) in a real project, what were the main advantages compared to other approaches like RBAC (Role-Based Access Control)?

Cheers,

João

Hi João,

I somewhat have mixed reaction over "... this approach might be rejected in a factory that doesn't allow the development team to use groups "

In general, it's one of the (lead) developer from your DevOps team in collaboaration with the PMO who manages the Users module in the low-code factory. Although I can imagine each organization may have a different approach of handling it. But (there is always a but ;)) the role of development team is to enable the functionality and pass it to the support/usermanagement to manage the users/groups.

... and to be honest, I liked the granular approach (in low-code applications) as Filipe mentioned in the article.


To cover the ACL in action, I indicated towards  ACL examples


Regards,

Swatantra