[BDDFramework] BDD framework vs Architecture dashboard and best practices
Web icon
Forge component by Platform Maintenance
Application Type
Traditional Web, Service


I'm struggling a bit with what would be OutSystems recommended approach to following scenario:

  • All screens across all environments should have no anonymous / registered access (unless it's actually needed, like in login/logout/invalid permissions screens etc). Especially true when functionality or data needs a named role to access.
  • All critical functionality and bulk of other server side functionalities should be automatically regression tested.

I find there's a conflict between Architecture Dashboard and recommended tools (BDD framework). To work correctly, BDD framework documentation has following note: 

"Note: When calling a TestSuiteScreen, always make sure that it can be accessed through non-authenticated requests (in Service Studio, set the Anonymous Role in the Web Screen properties.) When the BDDFramework makes a request to get the screen, it will be without authentication and as a result, it won’t work if not set up this way."

In the Architecture dashboard, however, all test screens implemented in BDD framework are showing up as security violations with following Impact / How to fix recommendation:

Impact: "...Giving access to the Anonymous role, a Screen can be accessed by any end-user, including users that are not logged in."

How to fix: "Disable the Registered Role access on all Screens (that don't have the Anonymous Role) and explicitly grant access for custom Roles that are specific to your app.  Disable the Anonymous Role access unless you want to make a Screen public and accessible by everyone that can reach your app. 

Because of the limitations in BDD framework, testing functionalities accessible only to named roles is either not possible or it's going to create a security issue because user login needs to be done inside test screen accessible for anonymous users.

We do not want to fork BDD framework to solve this issue as it's supported Forge component.

We do not want to "just mark these as non-issues" in Architecture dashboard.

We tried if we could hook OnBeginWebRequest / OnSessionStart system events in our module containing unit test screens, but those events are apparently not called when test screens are called from Test Framework or using BDD Rest API.

So, what would be the recommended way to handle this? Our current best idea is to implement some token based auth logic in test screens using screen input parameters and mark Architecture dashboard issue as "false positive" / "won't fix", but this still feels like a hack approach at best.

A question I have for you is why do you need architecture dashboard to monitor your test applications?  The purpose of the architecture dashboard is to monitor production-deployed application and indicate violations of development best practice with OutSystems.  

In my opinion, test projects should not be monitored by architecture dashboard.  

You can ignore test applications from the Maintenance:

I'd like to draw attention to this post once more, since I have the same problem as the OP and feel that it's a massive security flaw. Sure, BDD Framework can be removed from architecture dashboard, but on a bigger scale I'm very uncomfortable with the fact that the tests are wide open on the internet, and I get the impression that this was also the OP's main concern.

Does anybody know of a solution, and did you implement one @Mikko Nieminen ?

Hi Johan, referring to my earlier suggestion in [1], believe that these warnings in Architecture Dashboard could then be snoozed if justified with the suggested approach. Hope this helps!

[1] https://www.outsystems.com/forums/discussion/77006/anonymous-access-to-bbd-framework-tests-is-there-any-option/#Post318001

Yes, this was the perfect solution to my issue. Thanks!

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.