VBCS - access and secure business objects

1. Role based security control:

• By default, the business objects in your application are accessible to all users that can access the application. 
• To secure the data stored in objects, you can use user roles to restrict a user’s access to view, create, update, and delete operations by configuring role-based access for each operation. Users can only perform the operations and interact with the business objects associated with the role that the user has been assigned.
• To allow anonymous access to the data in a business object, for each operation you must explicitly set the permissions granted to the Anonymous User authentication role.

To enable role-based security for a business object:

Select the business object you want to secure >> Open the Security tab of the business object.

1. Click the Role-based security icon to enable security for the object.
   When you enable role-based security for a business object, you see a matrix of the existing user roles and the business operations that can be performed. 
2. By default, when you enable security, all existing user roles are permitted to perform all operations. If you create a new user role, permissions to perform operations are disabled for the new role and must be enabled manually.
3. Select the operations that can be performed by each authentication and user role. You can enable or disable permission for each operation.

You can further define security at the row level for View, Update, and Delete operations by using a query builder to define conditions. To specify which users the conditions apply to, select the user role in the table. You can select Allow if user created the row from the action menu to limit an operation to the user who created the row. The menu also has Cut and Copy options for you to move conditions from one role or operation to another.

2. Allow external access to your business objects:

When configuring security, you can allow external clients to access the business objects in your application through their REST endpoints. For example, you might want an external service like Process Automation to update a business object after a process is complete, say change a status field from "requested" to "approved".

To do this, you need to retrieve the API for the catalog of endpoints exposed by your application's business objects, found in the Catalog API panel in the Business Objects tab of your application's Settings editor:

Accessing the catalog APIs requires authentication. To set up security options for allowing access to the business object APIs:

1. Open the Business Objects tab in the visual application’s Settings editor.
2. Under Security, select an authentication option:
   • Allow anonymous access to business objects describe end point
   • Enable basic authentication for business object REST APIs

If you choose to allow anonymous access to the Describe endpoint, external clients accessing the endpoint will still need to add the header "Authorization: Public" to the request. The header is injected automatically for requests sent from your visual applications.