It would be really great to have Service Instance Security. Currently all users will have access to all Service Instances, and if they have access to create/publish SmartObjects, that means they will also be able to use any and all Service Instances available.

it would be great if the following security could be associated to Service Instances:

• View: Enables you to see the Service Instance in the Design canvas
• Create: Create a new service instance
• Modify: where you can modify/refresh a specific service instance
• Delete: Delete an existing service instance
• Execute: The ability to run that service instance (which adds an additional layer of security on top of the Account Authorization used on the Service Instace itself.

Our organization will easily have hundreds of K2 Categories due to the level of integration with SharePoint. That said each of these K2 Categories will have unique permissions. As of K2 5.2 the setting of these K2 Category permissions is a manual task. Example - the K2 Security Admin would have to browse to the specific K2 Category, break inheritance, remove the Everyone Role and add the necessary SharePoint Security Groups. We have worked with K2 and they have developed for us a console application to address this scenario. While this console application is meeting our requirements the goal would be to have this functionality be part of the base K2 product.

Currently the SmartForms content control can embed content from any domain/site instead of allowing an administrator to restrict it to certain sites/domain that are known to be safe.

The idea is to allow an environment administrator to add restrictions for the content control similar to what SharePoint does:
https://support.office.com/en-ie/article/allow-or-restrict-the-ability-to-embed-content-on-sharepoint-pages-e7baf83f-09d0-4bd1-9058-4aa483ee137b

Options that should be available:
Allow Any Domain
Restrict to whitelist of domains
explicit: help.denallix.com
wildcard: *.denallix.com
Automatically includes all domains associated with smartForms
Do not allow content injection (Not essential)
Prevents the control from being used on new forms/views

Configuration must be available through management site so that platform admins can control these restrictions, and the settings.

At runtime, when a content control tries to load content from a site, it first checks if it adheres to the restrictions applied and throws an appropriate error if it does not.

When exposing anonymous SmartForms to the internet or on a corporate website, there is currently no built-in way to prevent malicious bots from submitting the form and potentially creating millions of illegitimate entries.

Adding a custom CAPTCHA type implementation before the form loads is not sufficiently effective seeing that once a malicious user gets passed the CAPTCHA prompt it would allow them to see all the SmartForm requests that can be used by a bot to submit the form automatically.

A built in CAPTCHA type control and integration would be best - The idea is that it would allow a solution designer to select their preferred CAPTCHA provider (google reCAPTCHA etc) and then group rules/actions that requires a successful CAPTCHA challenge which is also validated server side when server side executions like SmartObjects and Process Start actions occur.

Currently all validation rules that are built in SmartForms are executed client side which is not great for data integrity.

Seeing that SmartObjects are seen as the data layer, it would be great to be able to configure validation rules on input properties as part of the SmartObject's design.

Examples of Validation types that should be available:
Regular expressions (ex email address, social security number, etc)
Value comparisons - Ex Value < 100
Property comparisons - Property1 >= Property2

Once a SmartObject is designed with these validation rules, the validation should be executed server side whenever the SmartObject is executed at runtime and validate the input value.

This would improve data integrity substantially as the validation would take effect through SmartForms, workflows, OData API and custom c# applications making use of the SmartObject client API and would ensure that business data is always in the expected format/range and that there is no way to bypass validation client side.

To further strengthen the feature, SmartForms can automatically consume validation rules configured on a SmartObject to show validation errors when a field is linked to a SmartObject property so that the Forms/View designers do not need to build validation into every Form/View that consumes the SmartObject.