Hello,
Is there a way to control access to H5 SDK applications in regards to what users can access the URL or not? And is there a means to set security within the application regarding field selection, etc ?
Many Thanks.
Sincerely,
Jordan
For controlling security in an H5 app you need to build it, but you also don't have any limitations. You can add security to a button, a field, a menu, etc. You can hide elements entirely or still display them but disable them (disabled button, turn an input box to output display, and so on). As far as controlling access to the whole app you can simply implement a check during the load of the app that either displays your app or a message saying 'no access'.
Main take away is that you need to implement security where you need it, and the best approach is to think through what security you want to have in the app as you design it - before you start implementing. Do you want to lock down the entire app on/off, or is hiding a specific update button enough, just hide one of the app pages/menus for users without a certain role, and so on.
You can easily create a custom read API transaction that reads for example the M3 security tables for either user/program or user/role security. That's just two different tables in M3, and you can key in with user and role/program as only input. As such you can create a two very simple API transactions that'll get you M3 program or role security for a user. Then depending on what the API returns when you call it with the H5 app user as input, you enable/disable/hide the field/menu/button or whatever else it is that you need to do.
You can use many things to create those APIs - MDBREAD, ExportMI, CMS100MI, and so on. Easiest is ExportMI as it doesn't require any M3 configuration setup for you app to work.
Alternatively, you can build the app based on IFS security roles, and simply query the IFS API through ION to get a user's IFS roles, and then program your app's behavior accordingly.
There is no support for mapping M3 roles or IFS roles to an application URL so that script files will not get loaded. It's a valid enhancement to add such security but any security implementation still needs to be done at the API level. To say that "only x roles" will be able to see the application link is ok to have but to secure an application ALL API ENDPOINTS needs to be secured.
1215097 is completely right. You need to plan and think about security and there are options to find out roles etc and you can use that to hide stuff in the UI. I just want to point something out, and this is a major take away. Access to the scripts or not, is really not relevant, there should be no secrets in the script files. Hiding buttons, tabs that the user is not allowed to use: that is just usability, it's not security. For security you will need the backend API to reply with "HTTP403", forbidden, if the a request is made that the user does not have access to, or a NOK from an MI program to say that the call was rejected.
That is why adding security for the application is not a priority for development. It would be if we had a service for "show my apps". But we don't and you need to add the application link to the M3 menu, which you can control access to.
To have an extra check as the application loads is fine and informative, but to make the solution secure - don't forget the most important thing. Securing the backend APIs that needs to be secured.
Yes, very true. I used the term security very loosely, and can only completely agree on the point of the endpoints. H5 reads the data via APIs, and to secure your data you need to have API security in place (in other words make sure they do not return data, unless they should).
To achieve the end-user experience you are probably looking for you can script and mimic the M3/IFS security in your frontend H5 app, but as stated that would be only usability. For the most part though, your ERP end-users are unlikely to start and hack your H5 app.
Note that any user knowing the "app name" can open the app, for example by hitting CTRL+R in M3 and then typing "/mne/apps/insertappnamehere". So controlling permissions for access to the menu and adding the app URL to the menu doesn't really help, the menu isn't needed to open an app.
You can create a js lib that can the used by all your apps.
It can validate if user has access or not to any SDK or any option inside SDK.
