👋 Use this site to provide feedback and ideas for all Nintex Products. See our post on Nintex Community "Welcome to Nintex Ideas" for more details on Nintex Ideas, how an idea is handled by our product teams and more!
If you are looking for the Nintex roadmap, you can find that on Nintex Community
We just realized that by adding SmartObjects to the SmartObject OData API we'll bypass any category security settings in K2 configured for this SmartObject or in other words: anyone is able to read any data from the added SmartObjects. In our example personal documents will be stored there, so this is an absolute no-go.
The current workaround is to create a separate service instance for the same database, but configured in impersonation mode to pass through the user credentials to the backend system and configure the permissions there. This might work in a very limited scenario with only a few users and with a SQL based SmartObject, but will certainly not work in all backend systems like SAP because it's not very common to use Active Direcory as the authentication provider for SAP.
The ODATA API must respect the category security settings, otherwise in my eyes the API is not fully implemented and a major security risk!