Apply Roles Dynamically

I have a need to control what is seen and used in the UI but it is not necessarily based on the User but based on some data.

To explain. User A can access the system and do pretty much anything. User A is looking at data for Client Z. Client Z has 2 orders O1 and O2. O1 due to they type of order requires a lot of detail. O2 which is a different type of order needs less data and some of the fields should not be visible at all.

I guess what I’m thinking is Roles for Screens but Dynamically Applying a Role based on data in the screen.

Looking at the Roles in CUBA Administration this would appear to be exactly the kind of features I would like to control. It would be fantastic if I could setup a Hierarchy of Roles to control the UI as I need and then when my User A goes to view O2 I could apply the Role relating to that type of order to User A then User A would not see certain parts of the UI.

I know I could easily code up this example and ignore Roles but in my case the UI control is very complicated and sliced and diced at many levels. Roles seems like a good fit.

If the adding of a Role Dynamically and I guess removing a Role is possible I’m thinking it needs to be applied in a restrictive way as Cuba currently does an OR for permissions though with some structuring I could possibly work around that by using only roles that deny access.

So I’m hoping someone will tell me this is possible.


It looks like the UI Permissions are set in WindowCreationHelper.applyUiPermissions

I’m thinking if I put my own version of WindowCreationHelper in my project then call applyUiPermissions() in the screen’s postInit() this seems to do as it should.

If I load the correct Role and do what is needed to the permissions then I could pass this in to my version of applyUiPermissions()

This might actually get around what is in the User Permissions and what is setup in my Screen Role would be applied as it is applied independently to the User Permissions.

Is this idea a bad one?


as you might have seen: A user <–> role association is a fairly static one. One way to dynamically solve this problem is to use different users for this problem. CUBA has the feature of User substitution. Normally this is used for something like “vacation replacement”.

But what also works is to create multiple user accounts for a given user. Each user account has a specific role associated with it. The dynamism comes in when the user actively switches the user through user substition.

I did not fully match if it would solve your problem. But it is a proper workaround for certain cases. Although it normally needs some kind of development in order to automatically create this user substition-users.

Perhaps you think into this direction as well.


Maybe this relatively new feature can help you: Entity Attribute Access Control

The attribute access control mechanism allows you to create rules of what attributes should be hidden, read-only or required for a particular entity instance, and apply these rules automatically to Generic UI components and REST API.

1 Like


Hi. Thanks for the reply. I hadn’t yet come across that feature yet and it looks like it is exactly what I was looking for.

CUBA has it all covered :slight_smile: