2
 Followers
10
 Likes

[Reactive] Consumed Server Actions authorized roles

Backend
Implemented
on 01 Oct 2019
Platform Server Release Oct.2019 CP6

Just like screens, "Consumed Server Actions in Screens" could have CheckBoxes for roles.

We know that in this cases, the Server Action will be available to the device through a REST API raising security challenges, having built-in authorized roles would minimize that.

Created on 17 May 2020
Comments (8)

It already works that way.

When you call a Server Action from Screens, a REST API gets created for each Screen the Server Action is consumed on. That API requires the user to have the same roles as the Screen does.

J.Ja

Changed the category to Backend and the status to

Implemented
on 01 Oct 2019


Hi Francisco,

Thanks for your idea. It’s not obvious but, has Justin said, that is how it’s currently implemented. Role based security is guaranteed. Be aware that if you need row based security (e.g. a salesperson can only create or update records for his region, or users can changer only their user info) then you’ll need to implement that specific logic on the server side

Cheers,
Tiago Simões

hey everyone, bit confused by this and what is shown in the  course below, the approach used there seems also rather unproductive/repetitive, does the above note by Justin note implies it's actually not needed? Still very new to sstudio but find rather strange that role configuration is not configured at server side, vs screens. even to allow reuse and avoid duplicate permission configuration, should flow server -> screens

https://www.outsystems.com/training/lesson/2032/demo-how-to-control-authorization-in-logic?LearningPathId=18

my initial reaction after seeing the video and try on sstudio was exactly like the ideia above, would be much more intuitive and solid from security perspective.

more recent one

https://www.outsystems.com/ideas/10405/server-action-role-based-security-with-checkboxes


thoughts?

ps-adding, also not sure would the described behavior would work on a screen which allows operations (calling different server actions) with different role requirements. ex screen can be accessed by role A and B, but only role B can can do a specific action ?

Hi Rui,

Thanks for your comments. I've tried to explain some best practices in How to secure your reactive and mobile apps which might clarify your questions and concerns. 

Regarding that other idea I'll merge it with this one. Making the security explicit in actions (or maybe even better, allowing a simple centralization of read/write security rules on the data itself) could be something we pursue in the future. 

Cheers,
Tiago Simões

Merged this idea with 'Server Action role based security with checkboxes' (created on 15 Mar 2021 16:05:43 by Cristóvão Vaz)

Hello,


It would help make server action permission validation much simpler if we had something similar to what exists in screens: a "Roles" section with checkboxes for which ones can use the action.



This would especially help on the CRUD operations permission validations needed for all exposed entities.

This idea may seem repeated from https://www.outsystems.com/ideas/8979/reactive-consumed-server-actions-authorized-roles, but it's really not, as it would ideally work for all types of apps (not just mobile/reactive) and would work even if the server action was not called from a screen.


Thank you,

cv




This comment was:
- originally posted on idea 'Server Action role based security with checkboxes' (created on 15 Mar 2021 by Cristóvão Vaz)
- merged to idea '[Reactive] Consumed Server Actions authorized roles' on 15 May 2021 09:38:00 by Tiago Simões

thanks Tiago for all the notes, still going through and thinking :) lots of nuances


views
329
Followers
2