Back to Ideas
9
Like
Follow Idea
[Reactive] Consumed Server Actions authorized roles
1067Views
8Comments
Implemented
Backend
Platform Server Release Oct.2019 CP6

Just like screens, "Consumed Server Actions in Screens" could have CheckBoxes for roles.

We know that in this cases, the Server Action will be available to the device through a REST API raising security challenges, having built-in authorized roles would minimize that.

17 May 2020
Copy link to comment

It already works that way.

When you call a Server Action from Screens, a REST API gets created for each Screen the Server Action is consumed on. That API requires the user to have the same roles as the Screen does.

J.Ja

20 May 2020
Copy link to comment
Changed the category to
Backend
and the status to
Implemented
on 01 Oct 2019

Hi Francisco,

Thanks for your idea. It’s not obvious but, has Justin said, that is how it’s currently implemented. Role based security is guaranteed. Be aware that if you need row based security (e.g. a salesperson can only create or update records for his region, or users can changer only their user info) then you’ll need to implement that specific logic on the server side

Cheers,
Tiago Simões

29 Sep 2020
Copy link to comment

hey everyone, bit confused by this and what is shown in the  course below, the approach used there seems also rather unproductive/repetitive, does the above note by Justin note implies it's actually not needed? Still very new to sstudio but find rather strange that role configuration is not configured at server side, vs screens. even to allow reuse and avoid duplicate permission configuration, should flow server -> screens

https://www.outsystems.com/training/lesson/2032/demo-how-to-control-authorization-in-logic?LearningPathId=18

my initial reaction after seeing the video and try on sstudio was exactly like the ideia above, would be much more intuitive and solid from security perspective.

more recent one

https://www.outsystems.com/ideas/10405/server-action-role-based-security-with-checkboxes


thoughts?

14 May 2021
Copy link to comment

ps-adding, also not sure would the described behavior would work on a screen which allows operations (calling different server actions) with different role requirements. ex screen can be accessed by role A and B, but only role B can can do a specific action ?

15 May 2021
Copy link to comment

Hi Rui,

Thanks for your comments. I've tried to explain some best practices in How to secure your reactive and mobile apps which might clarify your questions and concerns. 

Regarding that other idea I'll merge it with this one. Making the security explicit in actions (or maybe even better, allowing a simple centralization of read/write security rules on the data itself) could be something we pursue in the future. 

Cheers,
Tiago Simões

15 May 2021
Copy link to comment
Merged this idea with 'Server Action role based security with checkboxes' (created on 15 Mar 2021 16:05:43 by Cristóvão Vaz)
15 May 2021
Copy link to comment

Hello,


It would help make server action permission validation much simpler if we had something similar to what exists in screens: a "Roles" section with checkboxes for which ones can use the action.



This would especially help on the CRUD operations permission validations needed for all exposed entities.

This idea may seem repeated from https://www.outsystems.com/ideas/8979/reactive-consumed-server-actions-authorized-roles, but it's really not, as it would ideally work for all types of apps (not just mobile/reactive) and would work even if the server action was not called from a screen.


Thank you,

cv




This comment was:
- originally posted on idea 'Server Action role based security with checkboxes' (created on 15 Mar 2021 by Cristóvão Vaz)
- merged to idea '[Reactive] Consumed Server Actions authorized roles' on 15 May 2021 09:38:00 by Tiago Simões
15 Mar 2021
Copy link to comment

thanks Tiago for all the notes, still going through and thinking :) lots of nuances


18 May 2021
Copy link to comment