App Security

Last modified: September 19, 2024

Introduction

In App Security, you can switch security on or off for the whole app. You can also configure security settings related to the app, such as user roles, administrator credentials, demo users, anonymous users, and password policy. To be able to configure, for example, security per module or access rule for entities, you need to switch the app security on first.

To configure the app security, open App Explorer > App > Security, and the dialog box will open:

Security Level

The security level defines if security is switched off or on for the app and which security settings need to be configured.

Security level The way security is applied Security settings to be configured
Off No security is applied. Users do not have to sign in and can access everything. None
Prototype/demo Security is applied to signing in, forms, and microflows. Users can access all data. Administrator and anonymous access, user roles, security for forms and microflows.
Production Full security is applied. Administrator and anonymous access, user roles, security for forms, microflows, entities, and reports.

Settings Availability for Different Security Levels

For different security levels different settings are available. Find the list of all security settings and their availability per security level in the table below:

Setting Name Security Off Prototype/Demo Security Production Security
Check security N/A N/A Available, see the Check Security section.
Strict page URL checking N/A N/A Available, see the Strict Page URL Checking section.
Strict mode N/A N/A Available for the React client, see the Strict Mode section.
App status N/A Available, see the App Status section. Available, see the App Status section.
Module status N/A Available, see the Module Status section. Available, see the Module Status section.
User roles N/A Available, see the User roles section. Available, see the User roles section.
Administrator N/A Available, see the Administrator section. Available, see the Administrator section.
Demo users N/A Available, see the Demo users section. Available, see the Demo users section.
Anonymous users N/A Available, see the Anonymous users section. Available, see the Anonymous users section.
Password policy N/A Available, see the Password policy section. Available, see the Password policy section.

Check Security

If the security level is set to Production, you can specify whether the consistency of security settings should be checked.

When Check Security is enabled, for each user role Studio Pro checks which forms are accessible, either directly in the menu bar or indirectly by following forms and microflows. For each of those forms, Studio Pro checks whether referred attributes and associations are accessible for the current user role. If not, an error is added to the error list. These errors are only shown if there are no other consistency errors.

Strict Page URL Checking

When Strict page URL checking is disabled, a page’s security is only checked when the page is accessible through navigation, pages, or microflows. The page security (such as entity access in Studio Pro) is not checked if a page is only accessible via URL.

When Strict page URL checking is enabled, pages that are only accessible through a page URL will also produce consistency errors for security problems. By default, this is enabled in new apps. With this setting enabled, pages are checked in the same was as pages accessible via navigation. Strict page URL checking is enabled by default to increase security.

Enabling Strict page URL checking works for pages with custom URLs, but it cannot be applied to deep links. Studio Pro cannot determine which types of pages are used based on their deep links, as those are configured in the Mendix Runtime.

Strict Mode

In the React client, strict mode will make your app more secure when the access rules are not set up correctly. For more information, see Strict Mode.

App Status

The app status indicates the security status for the current app security level.

App status Description
Complete All security settings for the current security level have been configured.
Incomplete Some security settings for the current security level need to be configured. For more information, see the Module Status section.

Module Status

The Module Status tab shows the security status for each module. It shows the total number of items for which security needs to be configured, as well as the number of items for which security has been configured already.

At the Prototype/demo security level, the status of page access and microflow access is shown.

Additionally, at the Production security level, the status of entity access and dataset access (if applicable) is shown.

User Roles

A user role aggregates a number of access rights on data, pages, and microflows. An end-user of the application is assigned one or more user roles by an administrator, and gets all access rights that these user roles represent. For more information, see User Roles.

Administrator

In the Administrator tab of App Security, you can change the default credentials and a user role for the Administrator user. For more information, see Administrator.

Demo Users

Demo users are a demonstration of each user role existing in your app. You can use demo users to test what your app looks like for each user role or to demonstrate your app to other people. For more information, see Demo Users.

Anonymous Users

Anonymous users allow end-users access your application without having to sign in. You can restrict the data that anonymous users can access by assigning a specific user role to them. For more information, see Anonymous Users.

Password Policy

Specify the password requirements when users create their accounts and set passwords for them. For example, you can set the minimum length of the password, if it must contain digits or an upper case characters. For more information, see Password Policy.

Read More