Controlling who can do what in your application is key, and in many cases not everyone should have the same functionality and access in the application.
In this blog we show a couple of techniques for restricting access to application functionality based on the user using the app. To implement these restrictions you'll define application level roles in Visual Builder. Application roles can be used to limit access to specific pages, flows, and applications. You can also hide elements in your user interface based on these roles.
In the 2210 version of Visual Builder, limiting access to specific pages, flows and applications based on roles is done through a new security tab available in the setting for pages, flows, and the application.
In this dialog you specify specific roles that are allowed to access the artifact. Note that if you don't specify a role, then any user who can authenticate to the VB server can access the application you created. Check out the first section of the video below to see how this restrictions are set and the behavior they provide at runtime.
When you prevent people from navigating to pages, it is likely that you will also want to not show them the components on the page that cause the navigation (buttons, menus etc). In the second part of the video, we show how to hide elements in the UI from people who shouldn't see them. This is done by surrounding the component with an oj-bind-if component that is dependent on the role the user has. In simple cases you can use a condition such as [[ $application.user.roles.manager ]] where manager would be a role name. In more complex cases you could use a JavaScript function to decide whether to show or hide the component. This for example is the case when we try to hide navigation items in the default VB application template.
Check out the demo here:
Important note – these settings are done and enforced on the client side – this means that advanced hackers might be able to modify client side variable and code and gain access to the UI that you have disabled. This is why it is critical that additional layer of security would be defined on the layer that serves the data to your application (such as Business Objects or REST services) – so even if they have access to the app interface, they won't be able to see or modify data they are note allowed to access. For more on securing your business objects layer see our doc.