Security issues

I am creating a app that allows agents to take clients information and be stored in the database. What happens is that a client phones in and asks for a insurance quote, the agent will then take the clients details and also select which agent that must work this client. That all works perfect, but the problem that I am having is when assigning the work to the agent. Example I create a new client and assign it to the agent Mark, but agent John logins in to the app and can see Marks clients. I only want agents to work the clients that is assigned to them and any other clients that is not assigned to them must not be visible to them. Thanks
2 answers

The most secure way for this is to govern this through entity access.

I assume your data model has two objects for this, Agent and Client, with a 1-n reference from Client to Agent, and with Agent being a specialization of System.User.

In this case, you could limit entity access to Client objects for the Agent role (I assume this is a role) using an xpath. In the entity access setup for users with the Agent role (which I assume you have for this), you can use an xpath like the one below:

[ModuleName.Client_Agent = '[%CurrentUser%]']

Where ModuleName is the name of your module, and Client_Agent is the reference name.

With this xpath, users with the Agent role will only have access to Clients for whom they are acting as agent.

As a minor addition, you'll find entity access as a tab when you double click on an entity, however it will only appear if the security level at project level is set to 'Production' .


Have you set your security constraints in your domain model? You'll have to configure security, it won't automatically know how to constrain your data.