Is it safe to set all rights to granted in the Ivy Admin console for the role "Everybody" For example a user has the "UserAddRole" permission. If the webapp doesn't has the feature to add a role is it still somehow possible for the user to add a role? In other words: As long as the webapp controls the security itself, does it need the ivy security layer? asked 21.06.2016 at 17:37 Michael Knight |
The ivy permissions ensures that processes executed by an authenticated user can not call certain ivy API's. If the process never ever calls that API it is save to grant the permission to a user or one of it roles. Note, that also some standard products like the portal or JsFWorkflowUI application uses these permissions to enable and disable some features on the its UI. For example it allows to modify the expiry date of a task if the current user has the right permissions to call the corresponing API (ITask#setExpiryTimestamp). Therefore, it is not recommended to grant all permissions to the Everybody role. But if you know what your web application is doing. And you want to be responsbile for the security your own. Feel free. For a process developer it is even possible to decide to turn off security while executing some code. That means that the code can call API's without to have the right permissions. It is in the responsibility of the process developer to ensure security in this case. http://answers.axonivy.com/questions/744/how-can-i-disable-xpert-ivy-security-permission-checks answered 23.06.2016 at 09:50 Reto Weiss ♦♦ |
Once you sign in you will be able to subscribe for any updates here
By RSS:Markdown Basics
Tags:
Asked: 21.06.2016 at 17:37
Seen: 2,633 times
Last updated: 23.06.2016 at 09:50