Skip to Content (Press Enter)
OutSystems.com
Personal Edition
Community
Support
Training
Training
Online Training
Developer Schools
Boot Camps
Certifications
Tech Talks
Documentation
Documentation
Overview
ODC
O11
Forums
Forge
Get Involved
Get Involved
Jobs
Ideas
Members
Mentorship
User Groups
Platform
Platform
ODC
O11
Search in OutSystems
Log in
Get Started
Back to Forums
Uma R
459
Views
8
Comments
Dynamic Role creation and Role based access to pages
Question
Hi,
Currently we are evaluating the Outsystems platform to one of our project. We have understood that the application roles are created using service studio and access permission for the pages/screens to specific roles can also be done through service studio.
Is there anyway we can create roles dynamically and give the access permission to the pages dynamically/programmatically. Is there any API available to do the same. Users application allows us to create users and groups but not the roles.
Pls carlify the following points:
Is it adviceable to get the reference of the systems 'ROLE' entity and start inserting/updating records programmatically (as this table has few unique attributes like "ss_key" which am not sure/clear) ?
Whats the table which holds the Role - Screen access permission relationship? (Say Role1 can access screen1 & Screen3)
Thanks.
Gonçalo Martins
Staff
Hi Uma R,
First of all, let me welcome you to the Outsystems community.
What you pretend to do is something that is not available out of the box, because you have a different scenario and model.
Users
-
as usual, dynamic, created in backoffice or by your application programatically.
Roles
-
static, defined in Service Studio. A User can be given a set of Roles (ex: John is a SalesManager).
(new) Groups
:
dynamic, created in Users backoffice (or your own user provider) or managed programatically by the application. You can use the Groups for the things like Administrators, US Sales Managers, etc, to which you add Users and Roles (ex: the US Sales Managers have the SalesManager role; John belongs to the US Sales Managers Group, so he inherits the SalesManager Role).
User_Effective_Role
:
this entity will give you all the Roles that a User has, either those directly assigned to him or those he inherited by belonging to a Group that has a Role.
Please read the explanations made by Gonçalo Borrêga about this issue in the following post (related to the new model implemented since the Agile Platform 6.0):
https://www.outsystems.com/NetworkForums/ViewTopic.aspx?TopicId=7422&Topic=what
You can also read the documentation related to roles:
https://www.outsystems.com/help/servicestudio/6.0/Handling_security/About_Permission_Areas.htm
Hope this helps.
Best Regards,
Gonçalo M.
Ganesh Kumar Sankaran
Gonçalo M,
Thanks for your reply, and explaining the concept succintly.
In which case, the question boils down to:
Is there a way the out-of-the-box features can be used/adapted in an application where
1. There are a set of pages P, defining application features {p1, p2, p3,.... }
2. Have a set of roles R {r1, r2,....}
3. If more application features are added, there may be additional roles - otherwise roles and features are static
4. We know that access permissions for pages are through Service Studio at
design time
Using the User_Effective_Role Entity (
which can be dynamically modified by User<->Group<->Role associations
) can I
dynamically enable application features
for specific users at
run-time
.
For example I have 2 roles
Sales Person
and
Sales Manager
.
Sales Person has access to only a sub-set of pages, whereas Sales Manager has access to all Sales Person pages, plus a few more.
Use-case 1:
Sales Person Don gets promoted to a Sales Manager. Can we dynamically give Don the "Sales Manager" role so that he will have additional page access.
Use-case 2:
Sales Manager Don gets demoted to a Sales Person. Can we dynamically revoke Don the "Sales Manager" role so that he will have reduced page access.
Use-case 3:
Sales Managers George and Bill manage South and East regions. Both George and Bill will have "Sales Manager" access but only to the data pertaining to their particular regions. Hoping this is what the multi-tenancy features try to support.
Use-case 4:
Each region has its own Admin (say South Admin and East Admin). "South Admin" can administer features for users belonging to "South Region", and "East Admin" can do so for the East Region.
With Regards
Ganesh
1 reply
10 Oct 2012
Show thread
Hide thread
André Vieira
Staff
Ganesh Kumar Sankaran wrote
:
Gonçalo M,
Thanks for your reply, and explaining the concept succintly.
In which case, the question boils down to:
Is there a way the out-of-the-box features can be used/adapted in an application where
1. There are a set of pages P, defining application features {p1, p2, p3,.... }
2. Have a set of roles R {r1, r2,....}
3. If more application features are added, there may be additional roles - otherwise roles and features are static
4. We know that access permissions for pages are through Service Studio at
design time
Using the User_Effective_Role Entity (
which can be dynamically modified by User<->Group<->Role associations
) can I
dynamically enable application features
for specific users at
run-time
.
For example I have 2 roles
Sales Person
and
Sales Manager
.
Sales Person has access to only a sub-set of pages, whereas Sales Manager has access to all Sales Person pages, plus a few more.
Use-case 1:
Sales Person Don gets promoted to a Sales Manager. Can we dynamically give Don the "Sales Manager" role so that he will have additional page access.
Use-case 2:
Sales Manager Don gets demoted to a Sales Person. Can we dynamically revoke Don the "Sales Manager" role so that he will have reduced page access.
Use-case 3:
Sales Managers George and Bill manage South and East regions. Both George and Bill will have "Sales Manager" access but only to the data pertaining to their particular regions. Hoping this is what the multi-tenancy features try to support.
Use-case 4:
Each region has its own Admin (say South Admin and East Admin). "South Admin" can administer features for users belonging to "South Region", and "East Admin" can do so for the East Region.
With Regards
Ganesh
Hello Ganesh,
Welcome to the OutSystems Comminity!
You can use the platform metamodel to assign roles/groups to users in runtime, this is what the Users eSpace does.
Use-Case 1: You can do this manually in the Users eSpace or you can use the metamodel by creating the entry in User_Role system entity.
Use-Case 2: Like on the first case manually done in Users or programmatically by deleting the corresponding entry in User_Role system entity
Use-Case 3: multi-tenancy is a good fit for SaaS scenarios where you have the same application and different tenants. In your description I'd imagine you can implement it using multi-tenancy but you have to consider those roles that have a ortogonal view on the data and see both South and East regions. If you don't use multi-tenancy you still have to implement data containment.
Use-Case 4: I don't see difference between this use-case and the previous one...
I hope this helped you.
Cheers,
André
Gonçalo Martins
Staff
Hello Ganesh,
I could not agree more with André's explanation.
Just to add a tip, I suggest you create a BackOffice screen to manage all this Use Cases you need to implement, because you can have a bigger control on it and quickly have the Big Picture of all screen configurations/ roles related (take a look at the User eSpace).
Good luck..
Best Regards,
Gonçalo Martins
Robert Chanphakeo
@uma, our custom solution designed for cloud app features dynamic permission roles.
See
https://www.box.com/s/ajjcbuj1it9zyiv4lg0b
No longer restricted by int32 user table limitation.
Web screens and API methods/actions permission are now dynamic. We are able to create or modify permission in real-time without recompiling/
republishing our application.
Multi user access enabled, without the need to create multiple user accounts, works just like salesforce, xero, paypal etc
Single sign-on via Oauth (industry standard, as used by major service providers such as facebook, yahoo, microsoft, google, twitter, paypal etc)
Signup via Facebook Connect (as already seen in our open source component provided to agile community here
https://www.outsystems.com/NetworkSolutions/ProjectDetail.aspx?ProjectId=237
)
Custom cloud multi tenant
Regards
Robert Chanphakeo
1 reply
16 Oct 2012
Show thread
Hide thread
Joop Stringer
Robert Chanphakeo wrote
:
@uma, our custom solution designed for cloud app features dynamic permission roles.
See
https://www.box.com/s/ajjcbuj1it9zyiv4lg0b
No longer restricted by int32 user table limitation.
Web screens and API methods/actions permission are now dynamic. We are able to create or modify permission in real-time without recompiling/
republishing our application.
Multi user access enabled, without the need to create multiple user accounts, works just like salesforce, xero, paypal etc
Single sign-on via Oauth (industry standard, as used by major service providers such as facebook, yahoo, microsoft, google, twitter, paypal etc)
Signup via Facebook Connect (as already seen in our open source component provided to agile community here
https://www.outsystems.com/NetworkSolutions/ProjectDetail.aspx?ProjectId=237
)
Custom cloud multi tenant
Regards
Robert Chanphakeo
Wow Robert, that looks promising ... will you be able to share some more inside information on how you did this ?
Robert Chanphakeo
@Joop
In order to enable dynamic permission/roles, an input parameter is set in the common layout template
You give each web screen a unique ID, so your application would know which screen the user is viewing, using static entity also makes it easier for you to reference permissions within your application via service studio, - This is the same concept as MENU.
When the application is published, the static permissions that you have assigned to each web screen are syncronised with a global "permission" entity table.
This way you add new permission sets all in real-time without ever needing to republush your application.
You can add permission sets for web screens, web service, or external applications (non agile platform applications), thats up to you.
Permissions are cache in memory, to reduce query and heavy load to the your database server.
Vasanth
Where could I get the Platform osp file which is shown in the
https://www.box.com/s/ajjcbuj1it9zyiv4lg0b
, I can find FacebookConnect osp which is not having this permission entity, how the Permissions entity is enabled to cache it and where the permission validation occurs.
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting.
See the full guidelines
 Loading...