How to implement Client-principal into your application

Posted by PeterWokke on 27-Jun-2014 06:37

We have migrated our application from Progress 9.1E to Progress 10.2B.

It is based on the smartObjects from the adm2. We are now starting the migration to Progress 11 and want to implement the Client-principal object into this application and on the database if I am correct on this.

Is there a road map to implement this?

All Replies

Posted by Peter Judge on 27-Jun-2014 09:51

There is no formal documentation or road map to implement C-P in ADM2 (that I know of, anyway).

However, if you have your own authentication/security modules that work with the ADM2 app, it should be relatively easy to add C-P , especially in 11.x. If you are looking for examples/ideas on how to add C-P generally to an application, there are some presentations at various PUG Challenges over the past couple of years, that are posted on the relevant sites ( for the US conference, and for the EMEA conference).

-- peter

Posted by Thomas Mercer-Hursh on 27-Jun-2014 09:56

I was going to say, look for presentations by Peter Judge .... :)

Posted by PeterWokke on 30-Jun-2014 01:42

Thanks for the advise. Our current login procedure is as follow:

The user is logging in with his userID, one of the user groupID he is a member of and his password.

The user groupID is related to the business unit he needs to work in and the menu and program authorizations.

How can we implement this with C-P.

The users and passwords are stored in the _user table and an  application user table for additional user data like the default user group. in the user group table we have the identity of the business unit (company). And for the member ship of the user groups we have an additional table.

Can i reuse this in C-P and or have add tables to the DB to implement C-P.The same user can login in with one of the member ships and he can change the membership during the session. The menu and program authorizations and business unit will change too.

Should I implement the Security Domains for the user groups. And will this support the functionality of the member ships. And can it work when we later have to upgrade the application to a multy tendency (SAAS) solution.

Peter Wokke  


Posted by Peter Judge on 30-Jun-2014 10:15

In 11.1 and up (the .1 is *very* important) managing this stuff becomes much easier. You can set up an authentication system that uses the _User table, and associate that with a domain. A domain seems to be what your groupID is. So yes, I would implement domains. One of the design goals of the OE implementation is that you can switch the domains' authentication system at runtime (ie if  you move from _User to your own db tables).

The user would log in with credentials like username@groupid and provide a password. The domain (groupID) would know which authentication system to use (_User) and would authenticate based on that.  The user session would be asserted and you would have a C-P to work with.

There's a session with a basic overview of the Identity management flow at (session 233). Direct link is . This session talks about much of this stuff, and uses an application db table for user credentials.

Using the C-P for authorisation requires some more work and thought on your part. The C-P has a ROLES property as well as some custom properties that you can use for this stuff. Note that once the C-P is sealed (ie on successsful login) you cannot change those values.

I also did a session on some of these aspects at the same PCA (session #361; ) which may provide some guidelines.


-- peter

Posted by PeterWokke on 01-Jul-2014 02:10

Peter thank you kindly for your response.

I have tried to get to the download site.

Only the files are not available from the site (get file not found error)..

Now the databases of our customers have about 5 business units and over 35 GroupID's.

If I setup GroupID as domains do they have to create the same userID in each of the domains they could work in or is the same userID as members of the selected domains.

If we setup a multy tenant kind of SAAS environment and each tenant is greating about 25 GroupID we need a lot of domains.

Have to see if other options could work better. List of his available roles and check the selected role of the connection moment to the appserver. Based on the token we can selection the business unit and the user authorizations.

Hope you have some experience on this.      

Regards, Peter.

Posted by OctavioOlguin on 31-Dec-2018 14:49

The site were reorganised, and the new address for session 233 si:

This thread is closed