Monday, August 6, 2012

Remember you can use XPage ACL Entries to control page access

I've been pretty busy lately trying to meet deadlines but while I am creating a local replica I wanted to remind folks that, just like other applications, XPage applications have certain "screens" that should be restricted only to certain users.  Typically these pages are used for system configuration or administration functions.

One way to prevent unauthorized access to the XYZ Administrators-Only XPage is simply not to show links to that page to the "wrong" users.  Simple enough to do using database ACL Roles but in the end it is not really very secure since someone can simply type in the XPage URL and open that "double-secret probation" XPage.

A better way is to remember that XPages have their own ACL settings that refine the database ACL.

Just go to the properties, add an acl entry, enter a fullname for the entry, enter the name of the Role, Group or individual, select whether they can edit or just read the XPage and finally indicate the type of entry it is.

The example below only allows users in the Administrator ( roles are indicated using [] )  role to access the page.

When an unauthorized someone attempts to access the restricted XPage, they get this kind of login page message:

If you really want to get into it you can even add ACL entries to individual panel controls so you can section off portions within the same XPage.

Of course these are not the only ways to effect this kind of "security" but just wanted to remind folks that XPage ACLs are easy to use and effective.

Did I mention these entries can also be dynamically loaded when the XPage loads?  Could be cool for testing your apps. <wink> <wink>