Read only permissions for SDK - Mendix Forum

Read only permissions for SDK


First of all, I want to say that I really like the idea of the model SDK. It allows users to develop their own tools to extend and add even more value to the whole Mendix ecosystem (see for example the Mendix Diff Tool - )

Recently I have also started working on a tool that make use of the SDK to analyze Mendix applications. Of course in order for people to use the tool they have to type in their user API key and App Id. And here is where the problems start. Anyone who has this two pieces of information can then read their entire application and furthermore make modifications modifications to the appcliation model and commit these changes to the team server!!.  That is really scary.

Understandably, this makes people very reluctant to share API keys as they give incredible power to people with access to them. So my idea is as following:

Enable more fine grained control to access permissions for API keys. For start, distinguishing between read only access and read&write access will already make a huge difference. Further down the line being able to request read right for only certain types of elements (e.g. pages or microflows) would be even better.

I really believe that the model SDK can  be a great tool to build all kinds of extensions to that standard mendix toolkit, but before we get there we must re-assure people that the model SDK is safe to use and access is strictly controlled.

2 answers

Hi Tim, you as a developer when trying out the SDK you have full control of what the API keys are used for. However, imagine now that you have built some nice utility and would like to share it so that other people can also benefit from it.
The straightforward way would be to offer it as a web application. That way anyone can visit your web application and use your utility.

However to do this you have to ask users to enter their API keys. At this point, they have to trust you that you will not store their keys or misuse them in some other way.


I have to get a first try at the SDK. See what it can do and I will for sure take along this scary risc.