Best Practices For Anonymous Access

This topic provides the security best practices for anonymous forms and anonymous pages.

Best Practices For Anonymous eForms

This topic provides the security best practices for anonymous forms.

(Example) Use Anonymous Authentication in a Process-Based App
(Example) Use Anonymous Authentication in a Form-Based App
(External) Restricting API Access for Anonymous Forms
Examples - Step-by-step use case examples, information about what types of examples are provided in the AgilePoint NX Product Documentation, and other resources where you can find more examples.

If you have questions about the security impacts or best practices for anonymous forms, contact AgilePoint Professional Services.

An app designer who configures an eForm to use anonymous authentication (used with anonymous forms) must have a role with the Allow Enabling Anonymous Access access right.
The Allow Enabling Anonymous Access access right lets the application designer create an anonymous form in App Builder at design time. It does not control the security for the anonymous form or the anonymous form user at runtime. The user credentials used for the anonymous authentication access token do not require this access right.

To enforce strict security, AgilePoint highly recommends you use anonymous forms for data entry only, and avoid using lookups that connect to your backend systems.
However, the decision whether to use lookups in anonymous forms is based on your business requirements. If your requires you to use a lookup to backend system, make that design choice as necessary.

To make sure only APIs specific to run through the eForm are allowed to avoid security risks, such as code injection attacks, AgilePoint recommends you select Enable API Whitelisting on the Security tab on the Anonymous eForm Access Configuration screen.
For more information, refer to (External) Restricting API Access for Anonymous Forms.

This topic provides the security best practices for anonymous pages.

(Example) Anonymous Page in Page Builder
(External) AgilePoint NX Page Builder Pages Now Available To External Users
Examples - Step-by-step use case examples, information about what types of examples are provided in the AgilePoint NX Product Documentation, and other resources where you can find more examples.

If you have questions about the security impacts or best practices for anonymous pages, contact AgilePoint Professional Services.

A page designer who configures a custom page to use anonymous authentication must have a role with the Allow Enabling Anonymous Access access right.
The Allow Enabling Anonymous Access access right lets the page designer create an anonymous page in Page Builder at design time. It does not control the security for the anonymous page or the anonymous page user at runtime. The user credentials used for the anonymous authentication access token do not require this access right.

At minimum, the user account associated with the Anonymous End User access token must be a member of the Page Viewers permission groups for the custom page.

As a security best practice, in your access token for anonymous pages, AgilePoint recommends user credentials with minimum access rights. This is a user with the Page Viwers permission group with the default access rights.
It is not recommended to use an Administrator, Application Designer, or Developer account of any kind for anonymous access.

To make sure only APIs specific to run through custom pages are allowed to avoid security risks, such as code injection attacks, AgilePoint recommends you add only the required APIs.
To add an API, click Add Whitlisted API on the Anonymous Access Settings tab on the Settings screen.
For more information, refer to (External) AgilePoint NX Page Builder Pages Now Available To External Users.