Question

GUID/Security Question

0

Hi All, I have an application with several different user roles. One of the reporting requirements is that some of the user names need to be masked (so that other users don't know who they are). I am considering creating a masked user name attribute on the relevant user entity that would combine the GUID of the user object with some text, for instance 'Employee 31455'. However, this application is in the healthcare space and privacy/security requirements are paramount. If I use this construct, is there any mechanism that someone could use to take the GUID and access information inside of my application? This application runs in the Mendix cloud. Thanks, Mike

asked 2014-03-26

Mike Kumpf

2 answers

Chris de Gelder · Answer 1 · 2014-03-27

You can create a random number or use an autonumber in a seperate attribute of the user. Never display the name attribute. With entity access you can hide the data for other users. All common known security issues are covered in Mendix, however you can always hire some security company which will test your app.

Sebastiaan van den Broek · Answer 2 · 2014-03-27

No, just knowing the GUID of an object does not give you more access to the application data, it's just an identifier. That said, you do need to configure security correctly in the domain model, otherwise you can always retrieve objects by their identifier, but that applies to any Mendix application and relying on people not knowing identifiers of an object is not secure anyway. So don't worry about making reports that contain GUIDs, you will be fine as long as you set up your security.