I have a common espace (SECURITY) with all my roles defined. Those are coming from LDAP and are effectively mapped. Including some actions to check login in LDAP

I have 3 apps:
App1 has got userprovider Users
App2 has got userprovider Users
App3 has got userprovider OtherUsers

How do I make sure the permission are correct for the session?
If I set the userprovider Users in SECURITY i will not be correct with App3 and vice versa.

How do I "set" the userprovider to "Inherit" for SECURITY?
To allow espaces to inherit a permission, you just have to mark it as public and then add it as a reference in the espace you wish to use it in.  Each "Users" role in each of your espaces will be a unique entity in that espace.  If a role with the same name is added as a reference, the Espace automatically adds a number at the end to differentiate it.  If you look at the system espace "Users", it will show you a list of all roles being used across all of the espaces.
I agree how to reference should be created. But that is not what I am trying to understand.

I am trying to understand when granted-roles are shared between applications.
To my knowledge the Userprovider is key in this.

To get more detailed example:

Security-espace where userProvider = (current Espace) + roles
Theme-Espace where UserProvider = Users, action to login which call grantroles in SecurityEspace
App1-espace which uses Theme-espace and also userProvider Users, references Security because of roles
App2-espace which uses Theme-espace and also userProvider Users, references Security because of roles
App3-espace which uses another UserProvider with users from external-db, still needs the roles from Security

when I login via App1 I get the rights quite OK.
I cannot switch to App2 because I will get "Invalid permissions"
The theme-espace will keep showing I have the right rights.
Does this mean the shared session breaks because of multiple userproviders in the chain of espaces?

If this is the case how can I share the same roles between multiple userProviders?
Even though the roles in App1 and App2 have the same name, they are still considered different roles by outsystems.  You can query the "Role" table in the System espace to see which roles are created.  If you join the table with the Espace table you can see where the Role resides.  If I remember correctly, to use the roles across user providers, then the Espace containing the shared roles would need to have muti-tenancy enabled.

Erm, my roles are not different? They are coming from the other espace?
The roles reside in the espace where I created the roles. checked it with a query and I can confirm it.

Why roles are attached to a userProvider I don't understand.
runtime in a session, yes, they should be attached to the UserProvider.
But at design-time I should be able to define roles and use them in other espaces.

But what you are saying is that for a "READ_COMMON"-role I need to create as many roles as I have UserProviders which is silly tbh.

Still, my question remains, what happens to a package of applications and 1 espace got a diferent userprovider than the others, will this kill the shared-session?

Now I need to make as many roles, a simple "READ_COMMON" just


Can you explain exactly what the Security Espace logic does?
In particular:
  • does it have Screens or only actions/roles?
  • what is the interaction to/from other eSpaces?

João Rosado
You're right...it isn't the roles that have a different user provider, but the user does have a different user provider.  Depending on which user provider the espace is using, this is the user that it will retrieve.  If you are in App1 and then try going to App3, you would have to reauthenticate with the other user provider.  This would result in 2 sessions.