Modeling secure services

Edit online
Draft comment:
This topic is shared by BAW, CP4BA, CP4BASaaS. Last updated on 2025-03-13 12:15
To ensure that the service flows that you model are secure, you must add authorization checks to the service implementation.

About this task

You can use different methods to add authorization checks to your service implementation, as follows.
  • Use the optional checkAuthorization Boolean flag that some JavaScript APIs provide. If checkAuthorization is set to true, the authorization check is delegated to the JavaScript API, and only information that the current user is authorized to access is returned.
    instance.retrieveTaskList(properties, maxRows, beginIndex, timezone, true); // authorization is done by JS API
  • Use the getAvailableActions() method on a resource to determine whether the current user is authorized to perform a specific action. Continue only if the specified action is shown in the result.
    var actions = instance.getAvailableActions();
		if (actions != null) {
		    for (var i = 0; i < actions.length; i++) {
		        if (actions[i] == "ACTION_VIEW_INSTANCE") {
		            // do whatever you want to secure, 
				// e.g. retrieve instance-specific information
		        }
		    }
		}
  • Check the user's group membership to determine the user's authorization.
    var group = tw.system.org.findParticipantGroupByName(roleName);
		if (tw.system.user.isInParticipantGroup(group)) {
			// do whatever you want to secure, 
			// e.g. retrieve team information
	}