Managing System.User fields read-only access

Question

Managing System.User fields read-only access

1

Briefly: let's have the access of System.User and System.UserRole entities allowed to manage as usually allowed for other Mendix entities, or at least close to them. (i.e. to set a read-only access)

Simple use case: to present a list of users with name and roles for the current user for purpose of information, that is, without permission to modify.

If you had such an assignment, currently you face several issues relating to achieving a proper access to the System.User fields. Why?

You are not allowed to write the System module, so you cannot add module role and set entity access rule on User fields as you do usually for an entity.
Though System.User can be specialized, you cannot find the inherited fields in the entity access rule of specializing entity. Therefore you cannot specify access on these fields as usually you can do.
Thanks to the XPath constraints of the entity access rules of System module, each module roles allow the user to access to its own User object, nothing more.
The only way to have access to other System.User objects via entity access (i.e. UI datagrid) is the 'User role management' feature of the User role. This feature allows the developer to set 'managing' user role with assigning other 'managed' user roles. This allows users of the 'managing' role to modify User objects assigned to 'managed' user roles. However this provides a write access as well, so the read-only access would be violated.
Workaround: to specify 'mirror' NPEs to the User and UserRole objects; configure required access on these NPEs; generate such NPE objects at each the UI screens.

My basic proposal is the following: to let developers apply the usual access management at for this entities as well:

A) allow to assign additional module roles to System module and to have them assigned via specific entity access rules;

B) allow to refer to such attributes in the access rules of the Entities specializing User. (allows to specialize the UserRole entity itself)

...or

Provide another simple solution allowing to set application roles with read-only access to attributes of the System.User and System.UserRole entities.

asked 2024-07-21

Istvan Danyi

1 answers

Tim van Steenbergen · Answer 1 · 2024-07-21

Certainly a good idea. Also allowing a 1-* relation from System.User to an entity in another module, please. And other stuff as posted long ago here.