Posted: 18 Oct 2019 10:53 EDT Last activity: 21 Oct 2019 9:22 EDT
How to use "Available Privileges" settings for securing Section referred in Dynamic Layout?
Just wanted to check on the use "Available Privileges" setting while referring a section in Dynamic layout. From documentation it seems users who hold the privileges mentioned in this field can view the section in read only mode.
In my use case, I am trying to use this feature "Available Privileges" (View privileges) in the sections which will be used in user portal harness but there is no effect. Though "Update Privilege" seems to be working as expected and if user is not holding the privilege, system is making the section fields non editable.
My goal is to not show the section at all if user role does not hold the required privilege (or even a role) and I am reluctant to use "Visible When" setting and use HaveRole or HavePrivilege checks (in expression or when rule) for securing the UI as it sounds that securing UI through visible when is not a good practice so please advice if there are any better way of securing UI specially an individual section among multiple sections without use of visible when condition but instead using other OOTB security mechanisms.
Note- All the sections (including the one which need to be secured) are in Data-Portal class.
My suggestion was to use the Access When rule as a Visible When as in that case you are using a Security rule to control access to something, albeit not an ideal solution.
The issue with using a Rule-Obj-When rule to control visibility is that this is not object-oriented Security. You want to secure the object itself, not only what displays the object.
Ideally the Section you are wanting to hide/show would be in unique Data class that can "encapsulate" when it is allowed to be read or modified. That way, no matter how many Sections are defined for that data class, they are either displayed or not displayed according to the same Security definition that the Data class controls.
If you have a Section on a case that some users are allowed to see and others not see, shouldn't that data be in its own Data class?
If there are only certain properties you want to hide, you can define a Property-Read ABAC Access Policy that lists the various properties you want to mask.
Hi Pedel, this use case is more for securing the UI components (specially dashboard components) based on user roles rather than data security. For example in case we need to use OOTB section "pxReportsBrowser7" which is in Data-Portal class as one of the tabs in user's landing portal, but we do not want this Report browser to be accessible by certain roles, how do we configure security for this tab other than visible when configuration.
In my understanding visible when should be used when we need to hide/show sections/layouts based on user inputs (or existing values on clipboard pages) on UI.
Tried accessing a Access When rule in visible when fields but system is throwing error, complaining that rule used has to be either when rule or property rule.
Posted: 2 years ago
Posted: 20 Oct 2019 9:31 EDT
Lee Pederson (pedel)
Global Tech Enablement, Principal Instructor - LSA
Creating when rules to check privileges to show/hide section components for your use case should be a fair option. The access control is actually happening through privileges which is an object oriented pattern.