News & blog
BLOG | The access rights jungle – How to stay on top of ‘access security’ in your low-code apps

The access rights jungle

How to stay on top of ‘access security’ in your low-code apps

My previous blog (‘Don’t re-invent the wheel | Beware of the risks of using Open Source) discussed the potential risks of using Open Source components in your low-code apps. Some of these risks are related to security and unfortunately, potential security risks don’t just come with the use of Open Source. In fact, the most commonly made mistake is actually ‘leaving the front door open’ in your apps by configuring user roles and access rights incorrect. This blog will dive into this challenge and offer potential solutions for preventing potential unwanted access to your apps.

The challenge

Every app, whether it’s been built using low-code or regular-code, has users. These users on their turn have certain roles and access rights which manages which parts of the app and which data can or cannot be accessed. This shouldn’t be anything new and if implemented correctly it shouldn’t be such an issue. However, what happens when your app grows? What happens if there is a need for multiple types of users, each with their own specific access rights? This is when the security risks start to increase. After all, it’s the developers who are supposed to manage all this and let’s face it: even developers are only human. Unfortunately, platforms such as Mendix and OutSystems do allow developers to configure these user roles and access rights, but they do not really offer a way to manage and validate all of them in an easy way. Hence, the risk of a developer ‘overlooking’ a misconfiguration is quite real.

What are the risks

So, managing a multitude of user roles and access rights is the key challenge. But what can happen if not managed properly? Perhaps this is a bit of an open door, but I still want to point out the risks by using an example.

One of the most important things that is managed through user roles and access rights is access to data that is being used in your app. Imagine having built an Order Management App. Some users require access to the client-entity which contains al kind of (potential sensitive) information on clients. If configured incorrectly, this information can also be accessed by users who should not be able to. Even worse, in some situations entities can be accessed by people who aren’t even registered users at all.

The solution

The key thing developers should do to prevent any potential unwanted data access is to try and keep track of all user roles and their access rights. One way of doing so is to use manual validations each and every time a user role is added or when access rights are changed. This would mean that a developer will have to check and verify every single access setting on, for instance, every single entity manually. The thing is, this is quite a time consuming job as both Mendix and OutSystems do not really offer insight in all user roles and access rights in one place.

How Omnext can  help

Fortunately Omnext has developed a feature within the Omnext Fit Test platform called Stay Secure. When this feature is activated, the platform will evaluate all implemented user roles and user rights automatically. The result is an aggregated view that shows all user roles and indicate their access rights in a CRUDE format. For instance, it can show that UserRoleA has CRU__ rights on EntityXYZ.

In other words, it provides the insight and details that allows developers to verify the user roles and access rights much faster. It does not indicate whether a setting is right or wrong though and this is very important to keep in mind. Only a developer (or architect, security officer etc.) can determine whether or not a user role and specific access right correct or not. If so, the Omnext portal allows a user to set the status to ‘verified’. If it changes over time, it will set the status to ‘changed’ so users will know that they will have to re-verify this specific access right again.

By having this detailed user role and access rights information all in one place, managing access becomes a lot easier and less time consuming.

#low-code #userroles #accessrights #security #codereview #qualityassurance