Question

Security in the System and Administration modules

0

Should I leave these alone and not edit them. I would like to display the fullname from the Administration.Account (linked to a local module Person) based on role but the local roles do not have access to read that. (Though in local security, the association between Person and Account has read/write access) Should I create copies of various attributes in local Person from Account so that they are available? That does suggest having the same info in two places, which is never a good approach?

asked 2022-05-09

John Norris

2 answers

Tim v Steenbergen · Answer 1 · 2022-05-09

No need to copy the FullName to entity Person.

You have no control at all over the security of module System. But you have full control over the security of module Administration. Attribute FullName is from Administration.Account, not from System.User, so yes you are able to make Account/FullName readable. It is just a matter of correctly defining your Administration’s module roles, and assigning those module roles to your user-roles.

Rene van Hofwegen · Answer 2 · 2022-05-09

Your person entity should contain all "public” available values. Don't use any of your account details in your process. As this can be seen as the passport of your user.

Imaging being in a pub, and someone asks your name. Do you grab your passport to show your name?

Guess not, besides it’s ridiculous to show your passport to a random stranger, it’s also a security issue.

Same counts for your user account. These should only be used to authenticate and authorize access to data. No public use of this data.