Members of its development teams can manipulate the Access Control tables within the OutSystems platform, and there are currently no immediate administrative configurations available to mitigate this risk.

This openness can generate major security problems if a developer uses these tables incorrectly or even in bad faith. The ideal would be to protect these tables with a specific access level, possibly with more restricted access to the database, since it is possible through a SQL Sandbox to execute a script and grant incorrect permissions.

Hi there,

I do agre with the idea proposed by Nuqman Baktiar, where it could be made possible to segregate the Users Entity from the Systems Module components.

But it is important to remember that the platform already provide a way to define which IT Users have access in each environment.

I recommend the following documentation as good source of information to everyone with concerns about the security provided by the OutSystems platform regarding it's IT Users:

Understand the Permission Model for IT Users - OutSystems 11 Documentation 

Find Out the Permissions of IT Users - OutSystems 11 Documentation