Integrated Security Level property

Official Content
This documentation is valid for:
Establishes whether the object will have security enforced.

Values

Authorization Security will be enforced. Object security checks will be done automatically at startup (in case of web objects, before the Start Event). Authentication and Authorization will be automatically checked. Permissions will be generated in the GAM Database.
Authentication Security will be enforced. Object security checks will be done automatically at startup, and only Authentication will be checked. In case of web objects, the check is also done in every AJAX call which is executed. This is the default value at Version level.
None Security will not be enforced.

Scope

Platforms: Web(.Net, Java), Smart Devices(Android, IOS)

Description

The default value is "Use Environment property value."

The property at Version level (Default Integrated Security Level Property) allows establishing the default value for all the objects of the KB.

At the object level, the property applies to:

  • Main procedures or non-main procedures with Expose as Web Service property = TRUE (Rest).
  • Data Providers.
  • SD objects.
  • Web objects (Web panels, Web components, Web transactions)

If the property Integrated Security Level is set to "Authentication," the generated code will automatically make the security checks at startup.

If an object is configured with "None," it means that it's a public object of the application. If the property is set to Authentication, it means that only an authenticated user can access it. If the user is not authenticated, a Login Object for Web property or Login Object for SD property will be displayed (depending on the application), in order to allow the user to authenticate and access the application.

Notes
1) In SD applications, take into account that you will generally need to configure the same security level for all objects that are descendants of the entry point of the application which requires Authentication.

Suppose you have an application with two modules; both are items of the main Menu for Smart Devices object (GeneXus 16) of the application, but only one of them is going to be secure (that is to say, only one will need Authentication). In general, you will set the same security level for all WWSD objects which are descendants of this object in the call tree, because it's the only way to force security to the REST Web Services related to these objects. Besides, when a session expires, you will probably need users to be asked to log in again, regardless of the point of the application where they are navigating (if they are inside the module which requires Authentication). As a result, the only way to achieve this is that all descendants of the entry point WWSD of the secure module have the same security level.

For objects which have None, security is not enforced, so REST Web Services will be publicly exposed.

If the property Integrated Security Level is set to "Authorization," users must be logged in, and they need to have rights to access the object they are trying to execute. This security check is automatic.

The application security will be checked automatically by means of GeneXus Access Manager (GAM).

2) In a Menu for Smart Devices object (GeneXus 16) (and SD objects for which there isn't a data provider automatically generated to implement their business logic -because they do not execute anything on the server), permissions are not verified, and that's why the only available values for Integrated Security Level Property are "None," and "Authentication" in this case.

If you configure "Authentication" in this property, the behavior is not the same as the behavior for SD Panels or WWSD panels: when trying to execute the Menu for Smart Devices object (GeneXus 16) for the first time, the Login Object for SD will execute. But in the next executions, session validity is not checked for Menus, so the login object will be displayed again only when the user tries to execute another private object which is called from the Menu.