Visual Builder

Get Involved. Join the Conversation.

Topic

    Wahab Ladjeroud
    security for an VBCS applicationAnswered
    Topic posted October 3, 2019 by Wahab LadjeroudGreen Ribbon: 100+ Points, tagged Business Objects, Layout, Security, UI 
    30 Views, 4 Comments
    Title:
    security for an VBCS application
    Summary:
    Difficulty setting up security for VBCS application
    Content:

    Hi,

    We developped a vbcs application for our client.

    It has hundreds of anonymous users and hundreds of customers with account.

    Our task is to deliver an url for all of them and give them access to only their records.

    (Some kind of fine grained access)

    We have noticed that whatever url we give in the landing page, when the user surfes the applications, the url on the top shows the ID (primary key i supposes) and therefore it's easy to change it to another number and see someone else records.

    My questions will:

    - 1 - What will be the correct setup of the security.

    - 2 - How can we deal with the problem of the url?

    -3- What kind of token should we use if we need a better security?

    Thank you in advance.

     

    Version:
    Version: 19.1.3
    Image:

    Best Comment

    Shay Shmeltzer

    I'm not sure what is the query page you are showing here - if it is the filterCriteria editor for building a query in the UI then yes you can use VB variable.

    If this is the query editor on a BO, then no you can't since the BO can be used by other apps and should be separated from any app specific variables. (Separating the model from the view layer).

    Comment

     

    • Shay Shmeltzer

      The security should be on your backend service so it will only return data that the user is allowed to see.

      For example if they user "hacks" the URL passing an id of a record they are not allowed to see - the backend service should not return that row.

      So the question to you is - how is your backend built? Is it using Business Objects in VB? If so you can define security on those to restrict which data is shown to each user.

      A basic example:

      https://blogs.oracle.com/shay/setting-up-security-in-oracle-visual-builder-with-groups%2c-roles%2c-and-users

       

    • Wahab Ladjeroud

      HI,

      Thank you for your anser.

      The backend is build with business objects.

      I was planning to implement the roles in idcs (as per your blog) and add some condition for the data segregation.

      Can we enter a application variable in the value of the query in attachement.(for testing)

      REgards

      • Shay Shmeltzer

        I'm not sure what is the query page you are showing here - if it is the filterCriteria editor for building a query in the UI then yes you can use VB variable.

        If this is the query editor on a BO, then no you can't since the BO can be used by other apps and should be separated from any app specific variables. (Separating the model from the view layer).

    • Wahab Ladjeroud

      Thank you sir.

      Now it's really clear for us.