Establishes whether the object(s) will have security enforced.
|Authorization ||Security will be enforced. Object security checks will be done automatically at startup (in the case of web objects, before the Start Event). Authentication and Authorization will be automatically checked. Permissions will be generated in the GAM Database.|
|Authentication ||Security will be enforced. Object security checks will be done automatically at startup, and only Authentication will be checked. In the case of web objects, the check is also done in every AJAX call which is executed. This is the default value at Version level.|
|None ||Security will not be enforced.|
Objects: Procedure, Data Provider, Panel, Work With, Menu, Web Panel, Transaction, Web Component, Query, Dashboard
Generators: .NET, .NET Framework, Android, Apple, Java
At Version level, the property allows establishing the default value for all the objects of the Knowledge Base.
At object level, the property applies to:
If the Integrated Security Level property is set to "Authentication", the generated code will automatically make the security checks at startup.
If an object is set to "None", it means that it's a public object of the application.
If the property is set to Authentication, it means that only an authenticated user can access it. If the user is not authenticated, a Login Object for Web property or Login Object for SD property will be displayed (depending on the application) in order to allow the user to authenticate and access the application.
1) In objects for Native Mobile applications, take into account that you will generally need to configure the same security level for all objects that are descendants of the entry point of the application, which requires Authentication.
Suppose you have an application with two modules; both are items of the application's main Menu object but only one of them is going to be secure (that is to say, only one will need Authentication).
In general, you will set the same security level for all WW objects which are descendants of this object in the call tree because it's the only way to force security to the REST Web Services related to these objects. In addition, when a session expires, you will probably need users to be asked to log in again regardless of the point of the application where they are navigating (if they are inside the module which requires Authentication). As a result, the only way to achieve this is that all descendants of the entry point WW of the secure module have the same security level.
For objects configured with "None", security is not enforced so REST Web Services will be publicly exposed.
If the Integrated Security Level property is set to "Authorization", users must be logged in and have rights to access the object they are trying to execute. This security check is automatic.
Application security will be checked automatically by means of the GeneXus Access Manager (GAM).
2) In a Menu object (and Objects for Native Mobile applications for which there isn't a Data Provider automatically generated to implement their business logic because they do not execute anything on the server), permissions are not verified. That's why the only available values for Integrated Security Level Property are "None" and "Authentication" in this case.
If you configure "Authentication" in this property, the behavior is not the same as the behavior for Panels or WW Panels: when trying to execute the Menu object for the first time, the Login Object for SD will execute. However, in the following executions session validity is not checked for Menus; therefore, the login object will be displayed again only when the user tries to execute another private object that is called from the Menu.
3) Objects called by the API object do not check security because the calls to those objects are internal.
4) In Queries and Dashboards, security checks are performed in every service call (i.e. when retrieving data or metadata from the server).
5)In the Data Provider object, the permissions generated when the Integrated Security Level property is set to Authorization are only checked when this Data Provider is invoked from a Query Viewer or when it is exposed as a Web Service.
This property applies only at design time.
To apply the corresponding changes when the property value is configured, execute a Rebuild All.