Question

Security issues

1

I am creating a app that allows agents to take clients information and be stored in the database. What happens is that a client phones in and asks for a insurance quote, the agent will then take the clients details and also select which agent that must work this client. That all works perfect, but the problem that I am having is when assigning the work to the agent. Example I create a new client and assign it to the agent Mark, but agent John logins in to the app and can see Marks clients. I only want agents to work the clients that is assigned to them and any other clients that is not assigned to them must not be visible to them. Thanks

asked 2011-11-16

Michael Visser

2 answers

Sjoerd Breur · Answer 1 · 2011-11-16

The most secure way for this is to govern this through entity access.

I assume your data model has two objects for this, Agent and Client, with a 1-n reference from Client to Agent, and with Agent being a specialization of System.User.

In this case, you could limit entity access to Client objects for the Agent role (I assume this is a role) using an xpath. In the entity access setup for users with the Agent role (which I assume you have for this), you can use an xpath like the one below:

[ModuleName.Client_Agent = '[%CurrentUser%]']

Where ModuleName is the name of your module, and Client_Agent is the reference name.

With this xpath, users with the Agent role will only have access to Clients for whom they are acting as agent.

As a minor addition, you'll find entity access as a tab when you double click on an entity, however it will only appear if the security level at project level is set to 'Production' .

Sebastiaan van den Broek · Answer 2 · 2011-11-16

Have you set your security constraints in your domain model? You'll have to configure security, it won't automatically know how to constrain your data.