Security access Anonymous Users

0
Hi! I am currently following the learning path ‘Configure Advanced Security’.  In Module 3.2 there is a section about Entity Access for Microflows.  This is what is described: “Microflows Exposing Anonymous Users or Using Deep Links Anonymous user access and deep links provide a mechanism for individuals to access Mendix functionality without logging in. If you do not apply entity access in these microflows, anyone can trigger the microflows and potentially retrieve or manipulate any data that the microflows touch.” I do not quite get this, because when setting up anonymous users, you always have to choose a certain user role that will be used for the anonymous users. We still set the Allowed Roles per MF and Entity Access in the domain model for these roles as they're supposed to be. How is it possible they could still trigger Microflows they do not have access to? Why does the Entity Access for Microflows have to be turned on? Regards, Maeve
asked
1 answers
2

Hi,

Consider you have two user roles Anonymous and Admin, admin has access to change any fields in entity but anonymous user has only read access for some fields., in this case you have a microflow which make changes, and it has both user role Anonymous and Admin, in this scenario If you do not apply entity access in these microflow, anyone can trigger the microflows and potentially retrieve or manipulate any data that the microflows touch. 

answered