Authorization
In the account base-component, there are 2 ways of defining access rights:
- Data: enable/disable the rights to create, modify, delete or view data
- Task: enable/disable the right to execute a task
The DataAccessRight provides the out-of-the-box implementation for access rights. Note that they only blacklist. By default, all actions are unrestricted.
Data Access
To configure access to a DataElement, create a DataAccessRight instance with the following fields:
forProfile,forUserorforUserGroup: Set one of these fields to define the target for the access right.element: Should be a concatenation of the component name and the element name with_as separator. The element name should have the first letter in lowercase. For backwards compatibility it is also possible to just use an element name, but it is preferred to include the component name. Alternatively,componentName_*can be used as a wildcard for every element in a component or*for every element in every component.functionality: Eithercreate,modify,deleteorstatus(status enables you to view and search data) for default CRUDs operations.allcan be used as a wildcard for all functionalities. For access to a DataCommand, the name of the command is used.target: Should be a concatenation of element and functionality with_as separator. [Deprecated: no longer in use]authorized:trueorfalse(yesornofor backwards compatibility), when you want to enable or disable the right respectively.
E.g. to prevent regular users from deleting a Product instance, enter the following values:
| field | value |
|---|---|
| forProfile | user |
| element | "myElement_product" |
| functionality | "delete" |
| authorized | "false" |
Task Access
To configure access to a TaskElement, create a DataAccessRight instance with the same fields, but use the taskElement name instead. For functionality, use execute.
E.g. to prevent users from executing the CompleteOrder task, enter the following:
| field | value |
|---|---|
| forProfile | user |
| element | "myElement_completeOrder" |
| functionality | "execute" |
| authorized | "false" |
Priority
It is possible multiple AccessRight instances apply to the same user. In that case, the priorities are as follows:
- user-specific rights > profile rights > userGroup rights
This means that rights blacklisted by the userGroup can be whitelisted by the profile. But also the other way around: a profile can blacklist what a usergroup has whitelisted.
Generally, it is better to pick a single strategy for defining access rights, be it either through profiles or userGroups.
Authorization in Logic Layer
By default, authorization is only checked in the Control Layer. However, it is possible to extend these checks to the logic layer:
ComponentGenerate authorization check in logic layer.
With this option, security at component level can be achieved in the logic layer.
This authorization is generated for standard CRUD operations, commands and tasks. This generated code will always call the AuthorizationManager of the new account component.
Example Code
The generated code in the TaskBean.perform() method:
DataAccessQuery dataAccessQuery = new DataAccessQuery();
dataAccessQuery.setElement(taskName);
AuthorizationManager authorizationManager = new AuthorizationManager(dataAccessQuery, userContext);
if (!authorizationManager.isTaskAuthorized()) {
return TaskResult.error(Diagnostic.error("testComponent","CarTask", "NO_ACCESS"));
}
taskResult = mImplementation.perform(targetParameter);
The generated code in the DataBean.perform() method:
DataAccessQuery dataAccessQuery = new DataAccessQuery();
dataAccessQuery.setElement(elementName);
AuthorizationManager authorizationManager = new AuthorizationManager(dataAccessQuery,userContext);
if (!authorizationManager.isDataAuthorized(DataAccessFunctionality.CREATE)) {
return getDiagnosticHelper().createCrudsError("not authorized");
}
The generated code in the DataBean.performCommand() method:
DataAccessQuery dataAccessQuery = new DataAccessQuery();
dataAccessQuery.setElement(elementName);
AuthorizationManager authorizationManager = new AuthorizationManager(dataAccessQuery,commandParameter.getUserContext());
if (!authorizationManager.isDataAuthorized(commandName))) {
return CommandResult.error(command, "not authorized");
}
<options>
<useLogicSecurity/>
</options>