Identity checks in Methods
To be honest, I’m writing this article mainly for myself. Because I have to look up the shown code examples myself again and again.
Restricting methods, actions and form elements is a daily task for Aras administrators.
It is usually necessary for one of the following two reasons:
- Security – Users should only be able to do what they are allowed to do.
- Usability – Users should only see what they need. A compact user interface improves usability.
There are many different ways to adapt the user interface to specific user groups. However, I have not yet found a comprehensive overview showing all available options. As Aras wasn´t able to provide me the necessary information, I decided to write my own unofficial document!
This article contains nothing new, but shall provide a comprehensive overview of the options available.
Restrictions can be implemented in two ways:
- Restriction by code – Here we check whether a user has appropriate rights to use a method, action or form element.
- Restriction by visibility – In this case, we show end users only elements they actually need and hide the rest.
The following examples show a few potential ways to restrict Client and Server Methods and some ideas for improving the GUI. I do not guarantee the completeness or correctness of the following examples. Let me know if you notice anything that could be improved!
Restrict execution of Server Methods by using code
This function will returns the identities to which the current user belongs:
Aras.Server.Security.Permissions.Current.IdentitiesList;
The result of this function is a comma delimited string of ids that we can use for identity checks.
Example #1: Check if current user is an administrator
Example #2: Check if current user is the Item owner
Example #3: Combine the above options
Restrict execution of Server Methods with ‘Execution allowed to’
The property Execution allowed to within methods is an alternative option for server methods (C#/VB) to restrict access. However, it does not work with client (JavaScript) methods.I prefer to use code restrictions because they better indicate that restrictions were made intentionally and for a specific reason. If you can’t decide which option you like more, you can of course use both at the same time.
Restrict execution of Client Methods by using code
Similar to server methods, we can use this function for client methods to get the identities to which the current user belongs:
aras.getIdentityList();
The result of this function is again a comma delimited string of ids that we can use for identity checks.
Restrict visibility of Form elements
Use this code in an onFormPopulate event to show or hide elements in a Form.
This example shows/hides a form button depending on whether the form is new or locked:
Restrict visibility of Actions
Restrict visibility of CUI elements
Conclusion
Always keep in mind: Especially when you have external users attached to your system, you are not allowed to fail when it comes to security. The most secure IT environment cannot protect you, when you fail in simple things.
For Methods, Actions and Form elements that shall have restricted access, it´s probably the best solution to use a combination of the options above.
Let me know if you know an additional restriction option that is missing here! This article right now just provides a basic overview. I would be happy to make it more accurate and complete!
Shown examples are based on Aras Innovator 11 SP12. For information purposes only. Use at your own risk!
If you can´t get enough of restrictions, find even more useful information in Cyl´s Note blog:
https://cylnote.blogspot.com/2019/02/control-property-access-with-identity.html