The Progress Application Server and classic AppServer both have support for user roles, where a role controls the amount of access a given group of users have. All authorizations in an Application Server are role-based; access privileges cannot be granted on a user-by-user basis. Therefore, user accounts are granted permissions according to their assigned roles.

The Kendo UI Builder tool, starting in version 2.1, provides support for user roles. To take advantage of this new functionality, the web application developer must obtain the user role information for the logged-in user from the server, and then set the allowed user roles in the KUIB app for the user.

Use the approach in this article to add user role support to your web application.

Developing your web application

When developing a web app, a set of client user roles can be defined on the application. The intent is that at run time, only users assigned to one of these user roles will be allowed to access the application. User access can be further refined by specifying user roles for the modules within the application. The user roles for the individual modules are selected from the set of user roles specified for the application. A further refinement for individual views can be specified. When a new view is added to the module, its user roles can be specified from its parent module's user roles.

Example user roles for application:

  • ManagerRole
  • UserRole
  • AdminRole
  • AccountingRole

Example user roles for modules in application:

  • Accounting Module allows user roles: AccountingRole
  • General Module allows user roles: ManagerRole, UserRole, AdminRole, AccountingRole
  • Admin Module: allows user roles: ManagerRole, AdminRole

Example user roles for views in modules in General Module:

  • Public View allows user roles: ManagerRole, UserRole, AdminRole, AccountingRole
  • Semi Private View allows user roles: ManagerRole, AdminRole
  • Private View: allows user roles: ManagerRole

Running your web application

When a user successfully logs into a web application, they will only be shown modules if the user account is assigned to at least one of the user roles defined for that module. For those accessible modules, the user will be allowed to display views if the user account is assigned to one or more of the user roles defined for that view.

Suggested Approach

The web app must perform the following actions to work with user roles:

  • Get the allowed user roles for the logged-in user from the server.
  • Set those roles in the app.

The API getUserRolesFromServer() in Kendo UI Builder can be used to performed these two actions with a single call. This API calls internally a custom invoke operation set up by the developer.

Example:

return this.progressDataService.getUserRolesFromServer({
    resource: 'UserContext',
    method: 'GetRoles',
    inParam: { clientID: 'MyApp' },
    outParam: 'allowedRoles'
});

In this example, the UserContext resource corresponds to a Business Entity UserContext.cls with a method called GetRoles(). The inParam property specifies the value of the parameters passed to the method as an invoke operation. The outParam property tells the name of the property in the reponse that contains the user roles.

The invoke operation should return a list of the allowed client user roles for the current user.

NOTE: It is highly recommended that the server code never return the server user role names for security purposes, but should return the corresponding client user roles names.

How to Configure the OpenEdge Service

Create a Business Entity that will be used to provide the invoke operation.

The invoke method will be used to return the user role information. It provides the user roles information by querying the roles attribute in the Client-Principal.

In order to obtain role information from the Client-Principal, the service should be configured to use authentication.

How to Configure Service to use authentication

To enable FORM-based authentication in PASOE, edit the oeablSecurity.properties file and set the client.login.model property to "form".

#client.login.model=anonymous

client.login.model=form

The users setup and their roles can be found in the users.properties file.

The users.properties that ships with PASOE includes the following users and roles among others:

User Roles
restuser  ROLE_PSCUser
restadmin ROLE_PSCUser,ROLE_PSCAdmin

Note: The example invoke method below uses these roles when mapping the input user roles, sent from the KUIB app.


Example Invoke Method: GetRoleInfo()


The GetRoleInfo() method accepts a string with an ID to identify the client app. It returns an array of strings representing the list of roles available for the current user.

It assumes the backend user role setup specified in the above chart. This method is an example, and needs to be updated to include the supported user roles provided in the service it is supporting, as well as the expected user role names used in the client app.

    @openapi.openedge.export(type="REST", useReturnValue="false", writeDataSetBeforeImage="false").
    @progress.service.resourceMapping(type="REST", operation="invoke", URI="/GetRoles", alias="", mediaType="application/json").
    method public void GetRoles(input clientID as character, output allowedRoles as character extent):
        define variable i as integer no-undo.
        define variable role as character no-undo.
        define variable hCP as handle no-undo.

/*        extent(allowedRoles) = 1. */
/*        allowedRoles[1] = 'user1'.*/

        hCP = session:current-request-info:GetClientPrincipal() no-error.
        message hCP error-status:get-message(1).
        
        if clientID <> "MyApp" then do:
            return error "Unexpected clientID".
        end.

        if hCP <> ? then do:
            extent(allowedRoles) = num-entries(hCP:roles).
            do i = 1 to num-entries(hCP:roles):
                case entry(i, hCP:roles):
                when "ROLE_PSCAdmin" then role = "AdminRole".
                when "ROLE_PSCUser" then role = "UserRole".              
                end case.
                allowedRoles[i] = role.
            end.
        end.
        else do:
            extent(allowedRoles) = 1. 
        end.

        message hCP:roles.
    end.

How to Configure the KUIB App

The user roles need to be added to the web app on the the app level, and if appropriate, on the module and view levels.

In the applcation module's login view, the controller.public.js file contains a default onLogin() method. This method is called after the user has logged into the application. It needs to be updated to set the user roles for the current user.
Changes to: application\login\controller.public.js

onLogin() {
    return this.progressDataService.getUserRolesFromServer({
        resource: 'UserContext',
        method: 'GetRoles',
        inParam: { clientID: 'MyApp' },
        outParam: 'allowedRoles'
    }); 
}

.