Question

Dynamic role management from UI

3

Hi, I want to configure dynamic role management in Mendix. I want to create a page/UI Interface where Super Admin can give access to pages/features to other end users. I want this security to be managed from UI Interface. How can I do this/ Is this possible?

asked 2022-08-22

Harshraj Singh

4 answers

Michiel Arts · Answer 1 · 2022-08-22

Hi Harshraj,

Roles in Mendix are defined at design time, not in runtime. So no, what you are saying is not possible out of the box. In runtime you can assign roles to users, but the configuration of the role itself is not manageable in runtime.

You can use xpaths in your role configuration for more dynamic access control if needed: https://docs.mendix.com/refguide/access-rules/#xpath-constraint

I've seen developers attempt to implement self designed custom roles, but all efforts i've seen ended in uncontrollable complexity. I would advice you not to go there: i've never seen it succeed.

I hope this helps.

Michiel Arts · Answer 2 · 2022-08-30

So you need a finegrained way to define which user can do what. Mendix offers this, but this needs to be defined at design time, there is no possibility to do this in runtime.

Let me think out of the box for a moment. Some options i can think of.

Agree on a set of roles that fits most cases and accept that the final 10% of desired requirements will not be supported in your app.
Use entity access xpaths, they give some flexibility to change access based on data in your database.
Agree on a procedure to do a quick deploy in case someone needs an authorisation change. You can do a change in the modeler within 5 mintes and have it in production 5 minutes later.
Create a Mendix role for every possible combination that may be required. -> please note that having many roles may affect performance.
create you own role system by creating your own role entities and checks -> it is nearly impossible to get watertight. I have yet to see the first implementation where that worked and was worth the effort.
Creating your app without Mendix. If the requirements are this specific and no other closely matching solution is acceptable, you should reconsider if Mendix is still the tool for your job here. The Mendix authorisation mechanism is very powerful and quick due to it relative simple setup. But that comes with the limitation of defining the roles at design time.

I hope this helps.

Sharad Kulkarni · Answer 3 · 2022-08-23

Can you already not do it from Account overview?

You can assign roles to specific users from this page right?

Rene van Hofwegen · Answer 4 · 2022-08-31

Jumping in this discussion;

As Tim and Michiel already pointed out, this is not out-of-the-box available. This is not a lack of functionality, this is a choice of Mendix. Which is IMHO a very good one.

Since page view is directly related to data access. This should not be managed from runtime. Keeping this in the model will give a much more secure application.

Better start questioning the customer why they want it. Guess there will be found more interesting answers then trying to make it work as asked. In the end you will see that is it is about specific roles in the app, which will perform specific task and go through certain processes. And thus modeling it in design time, setting up the right user roles which can be assigned to the users in runtime will do the job.

My experience on these in runtime configurations is:

We had it in our previous app, so we need it now as well. → You are creating a new app for a reason…. ;-)
Now we have it, either nobody uses it, or it is miss used in such way that app security decreases

Long story short; you are using a Low code platform. Use it accordingly.