It's been THREE YEARS since our organization first brought this issue to OutSystems attention, and after a lengthy multi day support investigation they ultimately provided no solution. Dozens of forum post have shown the same issue, and everytime no solution is provided. This is a recap and compilation of all the post because its well beyond time OutSystems addresses this issue. Multiple updates have mentioned "potential" resolutions to this issue, but nothing has actually resolved it (I say "potential" because OutSystems refuses to acknowledge the issue as even existing, and only generally refer to generic role issues in the patch notes.)
The Issue:
On Reactive apps, the system logs get spammed with "Role Required" for every single data action on the screen. This occurs regardless of the roles assigned to the screens (in our case the screens are set with Registered). The role errors are always for higher up roles, such as DepartmentAdmin and EnterpriseAdmin, which makes zero sense if the Registered role is checked for the screen. There are no manual role checks occurring in these screen actions. When debugging the application, the screen actions occur BEFORE the user gets authenticated despite having the Registered role checked. That is to say, the Security Exception does not fire until AFTER the screen actions attempt to run (the Security Exception triggers only after the screen actions attempt to run). Here is an example of the error logs, the screen they come from and the OnException handler for that app:
Error Logs:
Every error follows the same stack: RESTService -> Action/Data Aggregate -> CheckPermissions
Screen:
Note that the screen in question has every role checked, including Anonymous. So why on earth is it claiming that EnterpriseAdministrator role is required???
OnException Handler:
Note that the SecurityException is set to NOT LOG the error, yet it logs them anyways.
Additional forum post with the same issue with no resolution:
https://www.outsystems.com/forums/discussion/86804/getting-role-required-error/# (The provided answer was to make sure the "CheckPermission" action was setup correct, we do not use this action and neither did the original poster of the above issue. No Solution Provided)
https://www.outsystems.com/forums/discussion/83789/registered-role-is-required-error-i-am-getting/#
(Suggested to check what roles are checked for the screen, if SSO is active and if the actions throwing the error are checking for a role which the user does not have. All roles are checked, SSO is enabled and no actions are checking for roles. No Solution Provided)
https://www.outsystems.com/forums/discussion/62741/tons-of-error-logs-registered-role-required/#
(Suggested answer was to manually assign the role after login. This clearly does not work because the errors are occuring before the login occurs)
https://www.outsystems.com/forums/discussion/76595/screendataset-throwing-role-required-error/#
(Suggested answer is to check that the Roles present in the app are present in the Users module. They are, see below)
https://www.outsystems.com/forums/discussion/78297/registered-role-required/#
(No solution suggested)
https://www.outsystems.com/forums/discussion/72364/web-reactive-name-role-required-error-while-there-is-a-global-exception-handl/#
https://www.outsystems.com/forums/discussion/63644/hundreds-of-error-logs-for-registered-role-required/#
(Mentions that the error occurs because the screen has Registered User checked but a user who is not signed in is trying to access the page. If a user isn't signed in it should redirect to the OnException handler, where it handles the login and SHOULD NOT log the error because the Log Error is set to no, see above)
https://www.outsystems.com/forums/discussion/74349/role-required-error-after-logout/#
https://www.outsystems.com/forums/discussion/64852/regarding-user-exception/#
(This mentions that if a logged in user tries to access a screen they don't have permission for, it raises the security exception. Role errors should not be getting logged if the user is not logged in, the app should just log the user in.)
https://www.outsystems.com/forums/discussion/81532/handling-rolename-role-required-log-error-for-screen-or-dataaction-access/#
(The suggested solution mentions adding local exception handles to the actions. We have added these to the Screen Actions, but they cannot be added to the Screen data aggregates, at which the global exception handler would handle the exception. In Either case, if the Log Error is set to No, then the error should not be logged)
These are just some of the examples of the dozens of post made related to this issue, with zero solution ever provided. OutSystems has failed to address this common issue for over three years. A solution needs to be provided, even if at the very least that solution is to just fix the Log Error still logging even when it is set to "No". Our previous attempt to work directly with OutSystems support led to a multi day support call where the technician ultimately told us that there was no issue, despite them seeing and acknowledging the errors that were being spammed. This issue and the complete lack of support surrounding it is one of the many reasons our organization never recomends this platform to anyone else who comes to us asking about OutSystems and if its a good product they should implement into their organizations.
*Update: As I was going through the patch notes for past version, I saw that OutSystems finally added an option to "address" this, by letting you set a toggle to filter out these errors from the logs. It only mentions it for Registered Role and not for other roles, so it's unclear if this actually addresses the issue at hand. (Posting below for more information)
As far as I can tell everything is using the correct and often suggested pattern of using the OnException handler to redirect the user to a login page if they raise a security exception and are not logged in, otherwise they get directed to a no permission screen. Completely ignoring everything else and just focusing on the OnException handler, it must be a bug that these errors get logged when the handler is set to not log the error.
There was an update a while back that supposedly fixed this, yet it still occurs. Users do not face any errors, because like you pointed out the "errors" are from users who had their sessions timed out and so when they go to refresh the page, it triggers the exception since they are not logged in. We simply want to clear up our production logs because for three years 95% of the logs have all been these role errors, and it makes reviewing the logs more time consuming to get them all filtered out. From what I recall in past versions, there were issues with security exceptions bubbling up to the parent All Exceptions handler, which was causing issues.
From Version 11.13 Patch Notes
I also seem to recall that there was update that included a "fix" for exceptions set to not log the error were still logging the error, but I cannot seem to locate this in the patch notes. This is an excerpt from our Support Ticket investigation with OutSystems from 2021
This issue is never addressed or mentioned in any of the patch notes. I am opening a new support case to inquire as to the progress on this issue.
We are currently facing the same issue, our logs are bloated with "X role required".In a smallish setup this may not be the biggest concern, however our client has more than 30k external users (patients), being a hospital chain.The logs become unreadable and it has gotten to the point that we suffer experience degradation because of the sheer amount of errors being logged having an impact on our DB.If there could be any way whatsoever to stop these from being logged this I would be very thankful.
I have been examining this issue with my team and we suspect this might be caused when the user is idle over a specific period of time and tries to perform server action without refreshing the screen. Action is denied by the outsystems authentication mechanism and an irrelevant role exception is thrown. We haven't found a satisfying solution to solve this problem yet. One thing you might consider is increasing the time in minutes in the Service center -> Administration -> Security -> Applications Authentication, as long as it’s in line with your business case.