Managing Page Security at Runtime

Is there any way to manage page security using roles through the application at RUNTIME? Currently it appears the only way to do this is at DEVELOPMENT.
1 person has
this question
+1
Reply
  • Release 8.7.7.0 introduces the new feature called Access Control List.

    Starting with this release we are disabling Dynamic Controller Customization, Dynamic Access Control List, and Workflow Register described at https://codeontime.com/learn/integrat.... These features are replaced with ACL. It will be possible to enable them through custom code.

    ACL can be defined at design time. ACL can also be changed at runtime if CMS is enabled.

    Presence of ACL automatically disables access to all application pages and data controllers. Application resources need to be explicitly enabled for each role.

    Here is a sample ACL that must be stored in ~/app/acl.json:

    {
    "enabled": true,
    "cacheDuration": 10,
    "permissions": {
    "page.Home": "*",
    "page.Products": "*",
    "page.categories": "Users",
    "page.SupplierS": "*",
    "controller.Products.read": "*",
    "controller.Products.create": "*"
    }
    }


    CMS-based ACL must be defined as sys/acl.sjon

    Standard permissions "page" and "controller" are associated with roles. Role "*" applies to any authenticated user. Role "?" applies to anonymous users.

    Controller permissions allow create|read|update|delete. If a controller does not have a "read" permission then no rows are displayed.

    Developers can define custom permissions of type group|controller|access type. Groups can define "allow" and "deny" lists of other permissions like this:

    {
    "text": "Inventory Management | Basic",
    "description": "Allows access of inventory items and product management.",
    "allow": [
    "page.Home",
    "page.Products",
    "page.SupplierS",
    "controller.Products.read",
    "controller.Products.create",
    "controller.Products.update",
    "controller.Suppliers.create",
    "controller.Products.RenameProducts",
    "controller.Categories.read",
    "access._any.CategoryID.IsOne",
    "access._any.SupplierCountry.IsUSA"
    ]
    }


    This is an ACL that uses a group:

    {
    "enabled": true,
    "cacheDuration": 10,
    "permissions": {
    "group.Products": "Users",
    "page.Categories": "?",
    "controller.Categories.create": "?"
    }
    }


    This is an example of "access" permission access._any.SupplierCountry.IsUSA.json:


    {
    "text": "Controllers | Products | Reads",
    "description": "Limit rows to United States",
    "allow": "[SupplierCountry] = 'USA'"
    }


    This is an example of "controller" permission controller.Products.RenameProducts.json:


    {
    "text": "Controllers | Products | Rename products",
    "description": "Change label of Products to Product List.",
    "allow": "selectViews(\"grid1\").setLabel(\"Product List\")"
    }


    We are finalizing the visual tools to help management of permissions.This is the conceptual prototype of the permission manager:

  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. happy, confident, thankful, excited indifferent, undecided, unconcerned kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Great, this feature will answering the question for mapping user role in every sections in the screen. When this feature would be available I hope I can try it.

    Another question is in my project there is freetrial.dll, what is the limitation for free trial version, please describe it.

    Regards,
    Hardian
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. happy, confident, thankful, excited indifferent, undecided, unconcerned kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • So we will be managing security directly at the .json file? If so, that will be catastrophic when you fat finger it. Not a good idea. You need to be able to read/write those values from the UI where it can be well constrained from human errors.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. happy, confident, thankful, excited indifferent, undecided, unconcerned kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • That will be very challenging approach specially in multi-tenant application where we want to grant access to different part of the application to different tenant.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. happy, confident, thankful, excited indifferent, undecided, unconcerned kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • Hiatham,

    You can define multiple ACL entries in Site Content table.

    SiteContent is designed to be extensible. You can create an additional table to associate entries in SiteContent with individual tenants.It is easy to add an access control rule to filter SiteContent based on user ID. From the prospective of tenants and application framework there will be only one sys/acl.json entry.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. happy, confident, thankful, excited indifferent, undecided, unconcerned kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • COT, I think this is a very intriguing and powerful feature! I'm assuming you can also use it for custom actions implemented in a given controller?
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. happy, confident, thankful, excited indifferent, undecided, unconcerned kidding, amused, unsure, silly sad, anxious, confused, frustrated

  • With the disabling of features, will the customization of controllers still be possible via site content like this ?

    File Name Products.xml
    Path sys/controllers
    Text
    <dataController name=.... ... .

    If not then I will not be able to upgrade my projects to that release.
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. happy, confident, thankful, excited indifferent, undecided, unconcerned kidding, amused, unsure, silly sad, anxious, confused, frustrated