Dynamic Role creation and Role based access to pages

Dynamic Role creation and Role based access to pages

  
Hi,

Currently we are evaluating the Outsystems platform to one of our project. We have understood that the application roles are created using service studio and  access permission for the pages/screens to specific roles can also be done through service studio.

Is there anyway we can create roles dynamically and give the access permission to the pages dynamically/programmatically. Is there any API available to do the same. Users application allows us to create users and groups but not the roles.  

Pls carlify the following points:
Is it adviceable to get the reference of the systems 'ROLE' entity and start inserting/updating records programmatically (as this table has few unique attributes like "ss_key" which am not sure/clear) ?  
Whats the table which holds the Role - Screen access permission relationship? (Say Role1 can access screen1 & Screen3)

Thanks.
 
Hi Uma R, 

First of all, let me welcome you to the Outsystems community.
What you pretend to do is something that is not available out of the box, because you have a different scenario and model.

  • Users - as usual, dynamic, created in backoffice or by your application programatically.
  • Roles - static, defined in Service Studio. A User can be given a set of Roles (ex: John is a SalesManager).
  • (new) Groups: dynamic, created in Users backoffice (or your own user provider) or managed programatically by the application. You can use the Groups for the things like Administrators, US Sales Managers, etc, to which you add Users and Roles (ex: the US Sales Managers have the SalesManager role; John belongs to the US Sales Managers Group, so he inherits the SalesManager Role).
  • User_Effective_Role: this entity will give you all the Roles that a User has, either those directly assigned to him or those he inherited by belonging to a Group that has a Role.


Please read the explanations made by Gonçalo Borrêga about this issue in the following post (related to the new model implemented since the Agile Platform 6.0):
http://www.outsystems.com/NetworkForums/ViewTopic.aspx?TopicId=7422&Topic=what

You can also read the documentation related to roles:

http://www.outsystems.com/help/servicestudio/6.0/Handling_security/About_Permission_Areas.htm

Hope this helps.

Best Regards,
Gonçalo M.
Gonçalo M,

Thanks for your reply, and explaining the concept succintly.

In which case, the question boils down to:

Is there a way the out-of-the-box features can be used/adapted in an application where

1. There are a set of pages P, defining application features {p1, p2, p3,.... }
2. Have a set of roles R {r1, r2,....}
3. If more application features are added, there may be additional roles - otherwise roles and features are static
4. We know that access permissions for pages are through Service Studio at design time

Using the User_Effective_Role Entity (which can be dynamically modified by User<->Group<->Role associations) can I dynamically enable application features  for specific users at run-time.

For example I have 2 roles Sales Person and Sales Manager.
Sales Person has access to only a sub-set of pages, whereas Sales Manager has access to all Sales Person pages, plus a few more.

Use-case 1: Sales Person Don gets promoted to a Sales Manager. Can we dynamically give Don the "Sales Manager" role so that he will have additional page access.


Use-case 2: Sales Manager Don gets demoted to a Sales Person. Can we dynamically revoke Don the "Sales Manager" role so that he will have reduced page access.

Use-case 3: Sales Managers George and Bill manage South and East regions. Both George and Bill will have "Sales Manager" access but only to the data pertaining to their particular regions. Hoping this is what the multi-tenancy features try to support.

Use-case 4: Each region has its own Admin (say South Admin and East Admin). "South Admin" can administer features for users belonging to "South Region", and "East Admin" can do so for the East Region.

With Regards
Ganesh
Ganesh Kumar Sankaran wrote:
Gonçalo M,

Thanks for your reply, and explaining the concept succintly.

In which case, the question boils down to:

Is there a way the out-of-the-box features can be used/adapted in an application where

1. There are a set of pages P, defining application features {p1, p2, p3,.... }
2. Have a set of roles R {r1, r2,....}
3. If more application features are added, there may be additional roles - otherwise roles and features are static
4. We know that access permissions for pages are through Service Studio at design time

Using the User_Effective_Role Entity (which can be dynamically modified by User<->Group<->Role associations) can I dynamically enable application features  for specific users at run-time.

For example I have 2 roles Sales Person and Sales Manager.
Sales Person has access to only a sub-set of pages, whereas Sales Manager has access to all Sales Person pages, plus a few more.

Use-case 1: Sales Person Don gets promoted to a Sales Manager. Can we dynamically give Don the "Sales Manager" role so that he will have additional page access.


Use-case 2: Sales Manager Don gets demoted to a Sales Person. Can we dynamically revoke Don the "Sales Manager" role so that he will have reduced page access.

Use-case 3: Sales Managers George and Bill manage South and East regions. Both George and Bill will have "Sales Manager" access but only to the data pertaining to their particular regions. Hoping this is what the multi-tenancy features try to support.

Use-case 4: Each region has its own Admin (say South Admin and East Admin). "South Admin" can administer features for users belonging to "South Region", and "East Admin" can do so for the East Region.

With Regards
Ganesh
 
Hello Ganesh,

Welcome to the OutSystems Comminity!

You can use the platform metamodel to assign roles/groups to users in runtime, this is what the Users eSpace does.

Use-Case 1: You can do this manually in the Users eSpace or you can use the metamodel by creating the entry in User_Role system entity.
Use-Case 2: Like on the first case manually done in Users or programmatically by deleting the corresponding entry in User_Role system entity
Use-Case 3: multi-tenancy is a good fit for SaaS scenarios where you have the same application and different tenants. In your description I'd imagine you can implement it using multi-tenancy but you have to consider those roles that have a ortogonal view on the data and see both South and East regions. If you don't use multi-tenancy you still have to implement data containment.
Use-Case 4: I don't see difference between this use-case and the previous one...
 
I hope this helped you.

Cheers,
André
 Hello Ganesh,

I could not agree more with André's explanation.
Just to add a tip, I suggest you create a BackOffice screen to manage all this Use Cases you need to implement, because you can have a bigger control on it and quickly have the Big Picture of all screen configurations/ roles related (take a look at the User eSpace).
Good luck..

Best Regards,
Gonçalo Martins
@uma, our custom solution designed for cloud app features dynamic permission roles.
See https://www.box.com/s/ajjcbuj1it9zyiv4lg0b
 
  1. No longer restricted by int32 user table limitation.
  2. Web screens and API methods/actions permission are now dynamic. We are able to create or modify permission in real-time without recompiling/republishing our application. 
  3. Multi user access enabled, without the need to create multiple user accounts, works just like salesforce, xero, paypal etc
  4. Single sign-on via Oauth (industry standard, as used by major service providers such as facebook, yahoo, microsoft, google, twitter, paypal etc)
  5. Signup via Facebook Connect (as already seen in our open source component provided to agile community here http://www.outsystems.com/NetworkSolutions/ProjectDetail.aspx?ProjectId=237)
  6. Custom cloud multi tenant

Regards
Robert Chanphakeo
Robert Chanphakeo wrote:
@uma, our custom solution designed for cloud app features dynamic permission roles.
See https://www.box.com/s/ajjcbuj1it9zyiv4lg0b
 
  1. No longer restricted by int32 user table limitation.
  2. Web screens and API methods/actions permission are now dynamic. We are able to create or modify permission in real-time without recompiling/republishing our application. 
  3. Multi user access enabled, without the need to create multiple user accounts, works just like salesforce, xero, paypal etc
  4. Single sign-on via Oauth (industry standard, as used by major service providers such as facebook, yahoo, microsoft, google, twitter, paypal etc)
  5. Signup via Facebook Connect (as already seen in our open source component provided to agile community here http://www.outsystems.com/NetworkSolutions/ProjectDetail.aspx?ProjectId=237)
  6. Custom cloud multi tenant

Regards
Robert Chanphakeo
 
 Wow Robert, that looks promising ... will you be able to share some more inside information on how you did this ?
@Joop

In order to enable dynamic permission/roles, an input parameter is set in the common layout template

You give each web screen a unique ID, so your application would know which screen the user is viewing, using static entity also makes it easier for you to reference permissions within your application via service studio, - This is the same concept as MENU.


When the application is published, the static permissions that you have assigned to each web screen are syncronised with a global "permission" entity table.

This way you add new permission sets all in real-time without ever needing to republush your application.

You can add permission sets for web screens, web service, or external applications (non agile platform applications), thats up to you. 

Permissions are cache in memory, to reduce query and heavy load to the your database server.

Where could I get the Platform osp file which is shown in the https://www.box.com/s/ajjcbuj1it9zyiv4lg0b, I can find FacebookConnect osp which is not having this permission entity, how the Permissions entity is enabled to cache it and where the permission validation occurs.