Access Control is about making sure that only the people who are supposed to do/see something are able to.
You can grant user/role permissions to:
- Perform actions. For example, adding a user or deleting an asset.
- See information. For example, payroll data or health records.
How to do it with OutSystems Platform
The following sections describe the recommended actions to deal with common access control use cases with OutSystems Platform:
|Disable action from UI|| |
Avoid disabling actions from the UI
Disabling a widget in the UI doesn't prevent the sensitive action code to be run by forcing or forging the POST request.
|Hide action from UI|| |
Avoid hiding actions from the UI
Action is still available in the page. Hiding a widget in the UI doesn't prevent the sensitive action code to be run by forcing or forging the POST request.
|Validate based on Preparation check|| |
Avoid performing validations only in Preparation
Validating the access in Preparation only will not protect against tampered ViewStates.
|Implement a page for a role|| |
Tailor a page with actions available for that role.
|Check permissions in action|| |
Before executing any code, check if the current session has permissions to do it.
|Set IDs||Use non-guessable IDs.|
|Display information on screens||Check in Preparation if current user is allowed to view this information.|
To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems Platfom helps you develop secure applications.