Models Security

All model bindings and rules are processed with model owner's permissions. It effectively means that:

Binding expressions are calculated with the model owner's permissions
The binding target is also written with the model owner's permissions
Rule expressions are also evaluated with the model owner's permissions

Thus, the model may access only data that is accessible by its owner.

If you create a copy of a certain model under another user account, the copy may not function properly if new model's owner has no permissions to access data referred by the bindings of the cloned model.

Model Modification

Only users that have Administrator effective permission level in the model context may modify model configuration. This ensures maximum security for the potentially dangerous model operations.

Custom Model Functions Security

Model functions that have custom implementations can potentially access any server data. Thus, system administrators developing function implementation code should always respect security model and use only the instance of CallerController object that has been passed to the FunctionImplementation.execute().

Instantiable Model Instances Security

If containers of an instantiable model were attached to user contexts (see Using Instantiable Models), it may seem that each instance will inherit permissions of a user to those context a container is attached. However, it's not the case! Each instance will inherit permissions of the model owner.

DPF_EXPORT_V5.8.8 / TIME_1743710533 / 2025-04-03 20:02:13 / STRLEN_2553 / STRLEN_HTML_3470

{VERSION}

Was this page helpful?