We have a developer tenancy with multiple custom applications installed.
When I log into the tenancy with a user account that only has permissions for one application, only that application is visible on the dashboard.
However, if I type the application's HTTPS endpoint into the URL bar, I can still get to that application, even though I don't have permission to access that endpoint.
Can you confirm this is the expected behavior?
Solution
Yes, this is expected behavior in Insights Hub.
You as a developer must take care that no untrusted or unauthorized user can access your application.
As you already have access to the tenant but not the application but still as the user of the tenant you will be able to access the application if you enter the application URL into the URL bar. but the same application will not be available on the dashboard/ launchpad.
The application endpoints can be secured by providing the required roles and scope to the application and the same can be checked while accessing the application.
The below documentation is explaining about how you can secure your application.
https://developer.mindsphere.io/concepts/concept-roles-scopes.html
Insights Hub authentication documentation.
https://developer.mindsphere.io/concepts/concept-authentication.html
Notes
For any questions or support in this matter, contact us through the support center.
Notes