Integrated Security Level property

Official Content
This documentation is valid for:
Allows establishing  whether the object will have security enforced.


Authorization Security will be enforced. Objects security checks will be done automatically at startup (in case of web objects, before Start Event). Authentication and Authorization will be automatically checked. Permissions will be generated in the GAM Database.
Authentication Security will be enforced. Objects security checks will be done automatically at startup, and only Authentication will be checked. In case of web objects, the check is also done in every AJAX call which is executed. This is the default value at Version level.
None Security will not be enforced.


The default value is "Use Environment property value".

The property at Version level (Default Integrated Security Level Property) allows establishing the default value for all the objects of the KB.

At object level, the property applies to:

  • Main procedures or non main procedures with Expose as Web Service property = TRUE.
  • Data Providers.
  • SD objects.
  • Web objects (Web panels, Web components, Web transactions)

If the property Integrated Security Level is set to "Authentication" value, the generated code will automatically do the security checks at startup.

If an object is configured with "None", it means that it's a public object of the application. If the property is set to Authentication, it means that only an authenticated user can access it. In case the user is not authenticated, a Login Object for Web property or Login Object for SD property will be desplayed (depending on the application), in order to allow the user to authenticate and access the application.

1) In case of SD applications take into account that in general you will need to configure the same security level for all objects that are descendant from the entry point of the application which requires Authentication.

Suppose you have an application with two modules, both are items of the main Menu for Smart Devices object of the application, but only one of them is going to be secure (that is to say only one will need Authentication). In general, you will set the same security level for all WWSD objects which are descendant of this object in the call tree, because it's the only way to force security to the REST Web Services related to this objects. Besides, when session expires, you will probably need the user to be asked to login again, regardless the point of the application where he is navigating (if he is inside the module which requires Authentication), so the only way to achieve this is that all descendants of the entry point WWSD of the secure module, have the same security level.

For objects which have None, security is not enforced, so REST Web Services will be publicly exposed.

If the property Integrated Security Level is set to "Authorization" value, the user must be logged in, and he needs to have rights to access the object he is trying to execute. This security check is automatic.

The security of the application will be checked automatically by means of GeneXus Access Manager (GAM).

2) In case of Menu for Smart Devices object (and SD objects for which there is not a dataprovider generated automatically to implement the business logic of them - because they do not execute anything on the server), the permissions are not verified, that's why the only available values for Integrated Security Level Property are "None", and "Authentication" in this case.

If you configure "Authentication" value in this property, the behavior is not the same as the behavior for SD Panels or WWSD panels: when trying to execute the Menu for Smart Devices object for the first time, the Login Object for SD will execute. But in the next executions, the validity of session is not checked for Menus, so the login object will be displayed again only when the user tries to execute another private object which is called from the Menu.


Platforms: Web(.Net, Java), Smart Devices(Android, IOS)