To continue with this content, please log in with your Data Access ID or create a new account.
Cancel Data Access ID
You may not be authorized to see this content. Please contact Data Access Europe for more information.
Cancel Data Access Europe
You are not authorized to see this content.
Cancel Data Access Europe
Next lesson:
Authentication Overview

Security the Basics

Lesson 13: Access Control

Access control is giving users appropriate rights so that they can do what they need to but are blocked from doing anything else.

Example - a button in a web application should only be use able by certain people. 

  • Option 1 – Set pbVisible to false for those that are not meant to see it. This hides the button, but it is still present. This is problematic because any client with developer tools can expose it and click it.
  • Option 2 – Set pbRender to false is an option, but it does not fully work.
  • Option 3 – when onclick is triggered, the user’s rights are checked to confirm that they are allowed to use the button.
    • Best method

Another consideration in web applications are web properties. Client-side web properties have a weakness because a user can change values in web browsers and send them back to the server. In other words, users can manipulate the web properties. To avoid that from happening, a better choice is to use server-side web properties. Server-side web properties are not sent to the client, but they are saved with the session. With every call to the server the properties are retrieved and available. Using server-side web properties makes applications much more secure. 

There is one method to check if a user has access to a view called AllowedAccess. AllowedAccess is called before the view is loaded and is triggered when the URL features are used. OnChangeRights is used with the menu and is automatically triggered by the session manager when a user logs in or out.