User/Role Security on Webpages

[smackie]

How do you manage security administration on a page by page basis. If I have several webpages within an application and need to secure each to certain users, how do I do this. Also, users will need to be able to access multiple pages. I would prefer to handle at the role level rather than user if possible. Thanks in advance for the help.

[SteveCap]

Every Page has two properties that control security. Secured and Force Role Security.

Secured Enforce Role Security Properties

SecuredEnforceRoleSecurityProperties.png (20.57 KiB) Viewed 11146 times

Secured Enforce Role Security Properties

SecuredEnforceRoleSecurityProperties.png (20.57 KiB) Viewed 11146 times

If secured is false, any one can access the page. If secured is true and enforce role security if false, any logged in user can access the page. If secured is true and enforce role security is true, then only logged in users who have that page associated with their authorization can access that page.

All links needed to setup the authorization is under the security menu

Menu

Menu.png (18.95 KiB) Viewed 11146 times

Menu

Menu.png (18.95 KiB) Viewed 11146 times

Every user must have an authorization assigned to them in order to be able to login to the app. To see a users authorization go to the user management page and click on assign authorization.

Users

Users.png (12.24 KiB) Viewed 11146 times

Users

Users.png (12.24 KiB) Viewed 11146 times

New Authorizations can be added from the Authorizations page.

Authorizations

Authorizations.png (56.29 KiB) Viewed 11146 times

Authorizations

Authorizations.png (56.29 KiB) Viewed 11146 times

Authorizations then have Roles assigned to them which can be done by clicking on the Roles link in the authorization list. New Roles can also be created from the page.

Roles

Roles.png (9.91 KiB) Viewed 11146 times

Roles

Roles.png (9.91 KiB) Viewed 11146 times

Roles then are assigned Object Lists. There are three types of lists.

• Webpage which will be a list of page you want to give access to

• Rest API Verb which will be a list of apis you want to give access to

• User Defined which is for custom logic using the CheckAccess service. For example to hide a button. (See below)

Below is an example of a webpage list.

WebPage List

WebPageList.png (10.19 KiB) Viewed 11146 times

WebPage List

WebPageList.png (10.19 KiB) Viewed 11146 times

WebPage List Objects

WebPageListObjects.png (18.94 KiB) Viewed 11146 times

WebPage List Objects

WebPageListObjects.png (18.94 KiB) Viewed 11146 times

If a user has an authorization that has a role that has this list that user would then have access to the Home,
WorkflowRequests, and WorkflowApproval pages.

For a user to have access to a page or api the user must have an authorization that is assigned a role that is assigned a list that has that page or api in it.

The CheckAccess service can be used to see if a user has access to a specific object. It takes in UserId, ObjectId, ObjectType (MVC_View, EP_WebPart, EP_REST_Resouce_Verb, UserDefined). This service will return WorkData/CheckAccess/Output/Result/Access where Access = True or False. Checks for types MVC_View, EP_WebPart, EP_Rest_Resource_verb are done automatically. This service is mainly used for custom security logic using UserDefined type.

In the IDE we use a UserDefined list to hide/unhide the promote button so only certain authorizations can promote to QA/PD.

User Defined Lists

UserDefinedLists.png (16.81 KiB) Viewed 11147 times

User Defined Lists

UserDefinedLists.png (16.81 KiB) Viewed 11147 times

We then use the CheckAccess Service and a Binary Decision to determine if we should hide the button which we do using SetControlProperty.

Check Access Service Setup

CheckAccessServiceSetup.png (21.35 KiB) Viewed 11148 times

Check Access Service Setup

CheckAccessServiceSetup.png (21.35 KiB) Viewed 11148 times

Check Access

CheckAccess.png (34.26 KiB) Viewed 11148 times

Check Access

CheckAccess.png (34.26 KiB) Viewed 11148 times

Binary

Binary.png (69.24 KiB) Viewed 11148 times

Binary

Binary.png (69.24 KiB) Viewed 11148 times

Set Control Property

SetControlProperty.png (34.37 KiB) Viewed 11148 times

Set Control Property

SetControlProperty.png (34.37 KiB) Viewed 11148 times

[SteveCap]

We have a fix ready for this and it will be out later today.

[smackie]

I have another question regarding this. So, I was trying to use the process you shared to show/hide a field on my page. When I used the check access service it returned an error saying user could not be found when userid was set to ; however it worked fine when I put a user id. Also, I don't see a set control property service, but I do see a show/hide element and enable/disable element services under MVC workshop should I be using one of these instead? If so which, and also when I look at the show/hide element service it doesn't allow me to edit anything.

[SteveCap]

The screen shot was from an older version. The correct way to reference the currently logged in user is

[smackie]

Thanks for the clarification, that worked. As for the service to set the control to visible or not would that be the show/hide element?

[SteveCap]

The example to hide a button above is from classic mode in which the SetControlProperty service can be used in datasources and control processes.

In MVC it is a little different.

If on page load you want to set the visibility of a control you will have to have some reference in the model so for example the CreateServiceNode service with a result named Buttonvisbility who's value returns as true or false.

Create Service Node

CreateServiceNode.png (47.1 KiB) Viewed 11116 times

Create Service Node

CreateServiceNode.png (47.1 KiB) Viewed 11116 times

You would then set the buttons visibility property to references that.

My Button Visibility Property

MyButtonVisibilityProperty.png (43.42 KiB) Viewed 11116 times

My Button Visibility Property

MyButtonVisibilityProperty.png (43.42 KiB) Viewed 11116 times

Then in a controller you can update that value to the opposite and then use the UpdateElement service

Update Element

UpdateElement.png (39.23 KiB) Viewed 11116 times

Update Element

UpdateElement.png (39.23 KiB) Viewed 11116 times

If you are not setting the visibility in the model then you also have the option to use the ToggleElement service which will take in a html id then if that element is visible will hide it or if it is hidden it will show it.

Toggle Element

ToggleElement.png (39.14 KiB) Viewed 11116 times

Toggle Element

ToggleElement.png (39.14 KiB) Viewed 11116 times

[smackie]

Thanks Steve this really helps me out.