1. Building Responsive Applications with Visual Builder Studio
  2. Augment Applications
  3. Secure the Application
  4. Manage User Roles and Access

Manage User Roles and Access

You can create, edit, and remove user roles to secure access to your application's business objects.

In addition to the Authenticated User role granted to users who sign in to your application, users can be assigned a user role based on their credentials and the groups they've been assigned to in Oracle Identity Cloud Service (IDCS). When a user tries to access data in a business object secured by this user role, the roles assigned to the user are authenticated in IDCS. Access is granted if one of the user roles securing the business object is mapped to one of the groups the user has been assigned to in IDCS or if the user was mapped to that user role directly.

Use the User Roles tab in a visual application’s Settings editor to create a user role and assign users and groups in your IDCS account to the user role. Assigning groups to your user role maps the role to IDCS groups and is known as "role mapping". Once you create a user role, the role and any users or groups assigned to it are automatically added to the client application in IDCS, something that's created when you first share or deploy your application. Until then, any roles you define are stored in the user-roles.json source file under the visual application's settings folder.

It's important to remember that role mappings are defined in different scopes for the stages that your application goes through: when it is shared from your workspace, when it is deployed during development with a version in its URL, and when it is deployed live to production. These role mappings are defined separately for each scope and stored as the initial defaultMapping in user-roles.json. So essentially, you can assign different IDCS users or groups to the user role in different scopes. For example, you can assign different IDCS groups when your application is being tested, but use entirely different groups when you are ready to deploy the live version of your application. This way, you can make the data in your application in each scope available only to those with certain roles.

To create a user role in your visual application:

  1. In the visual application's header, click the Menu option in the upper right corner.
  2. Click Settings.
  3. Open the User Roles tab in the Settings editor.

    If user roles have been defined, you'll see a tile for each user role in your application (along with the groups and users assigned to it).


    Description of vbs-user-role.png follows
    Description of the illustration vbs-user-role.png
  4. Click Create Role.
  5. Enter a name for the role in the Create Role dialog box. Click Create.

    This role name is displayed when designing your application, but is not exposed to users.

  6. Before you proceed to assign groups or users in IDCS to map to your user role, review the value in the Mapping drop-down list to determine the scope where your role mapping will take effect for your application:

    • Workspace: Users or groups assigned to a user role with this mapping can access the application's resources once you share it from your workspace.

    • Deployed with version in URL: Users or groups assigned to a user role with this mapping can access the application's resources once the application is deployed with a version in the URL.

    • Deployed: Users or groups assigned to a user role with this mapping can access the application's resources once the live version of the application is deployed. That is, when the application is deployed without a version in the URL.

    If, for example, you add a user to a user role with Workspace as the value in the Mapping drop-down list, the user will be able to access the application's resources when you share the app from your workspace, but not when it is deployed.

  7. Click Assign groups or users in the tile if no users or group have been assigned. If you want to edit a user role and some groups or users have already been assigned to it, click Edit icon that appears when you hover your cursor over the tile.
  8. In the Change Assignment... dialog box, click Add icon for each group that you want to assign to the role. In the Users field, enter the name of the user that you want to add, or enter a character to retrieve a list of users. For example, enter a to retrieve all user names that include the character a. Click Add icon to add the user to the role.

    Description of security-app-settings-assignuser.png follows
    Description of the illustration security-app-settings-assignuser.png

    You can assign multiple groups and users to your user role. Keep in mind that the list of groups and users is defined in the identity provider and managed by the identity domain administrator. Click Save Changes when you are done. Saving your changes automatically updates the user roles for your application in IDCS.

  9. Repeat steps 6, 7, and 8 to select a different scope and assign users and groups to that scope.

After you create a role, you'll need to enable role-based security for the application's business objects by specifying the user roles that can access the object and setting access privileges for the role in the business object’s Security tab.

Besides securing access to the data in your business objects, user roles can help control what a user sees in your application. For example, you can use role-based permissions to limit access to the app, entire pages or flows, even set restrictions on certain components in a page, so only users with certain roles can view that information.