The App Maker editor and user apps will be shut down on January 19, 2021. New application creation is disabled. Learn more

Control access to pages

As a part of app security, you can allow only certain users to access specific pages. For example, you can allow only users who are members of a "manager" role to open a page with tools to manage users.

Use page security to restrict the use of pages to only those users who need them, such as a page to manage employee information.

Set access permissions for a page

To set access permissions on a page:

  1. Open App Maker.
  2. In the left sidebar, click the page to set permissions on.
  3. In the Property Editor, click Security.
  4. Click the Who can see this page? dropdown and select the type of access permission for the page. You can set page security to Admins Only, Everyone, Roles, or Script.

  5. If you select Roles or Script, enter additional information:

    • Roles—For each role, click Add Role and select an existing role from the list. To add a role, click Manage Roles.
    • Script—In the script editor, enter or paste the server authorization script.

  6. Click Save.

Page access enforcement

After you set access permissions on a page, App Maker runs the permissions check on the server to determine if a user can access the page.

If a user shouldn't have access to a page:

  • App Maker doesn't retrieve the page from the server. App Maker doesn't acknowledge that the page exists and responds with a Page Not Found error (HTTP 404).
  • App Maker removes references to the page in an app. For example, references in binding expressions (@pages.PageName) and references to the page in scripts (app.pages.PageName).
  • A page that App Maker doesn't retrieve for a user isn't in the DOM and isn't readable.

To show widgets that link to secure pages only to users who have access to those pages, check the users access permissions in the widget's visible property. For example, if only users in the "manager" role should see an Edit button that opens a popup to edit user information, open the binding editor of the button's visible property and add @user.role.manager.

Page security isn't enough to protect data. Because pages and widgets can refer to other pages (for example, using links), a savvy user might be able to find references in the DOM to a page to which the user doesn't have access.

Best practices for page security