OE STS Gateway a few questions

Posted by marekk on 15-Apr-2018 04:09

Hi,

I have some basic questions regarding OE Authentication Server.

In db we could create table and field privileges for specified users and than make it active at runtime.

How to add such roles in the sts server?

What is the biggest benefit of sts server except of using system domain users authenticated in the db?

Thanks,

Marek

OpenEdge RDBMS - Forum
Posted by Peter Judge on 17-Apr-2018 15:26

The callbacks in the OEAG will allow you to add roles into the token that is returned.
 
The connection role authorization is based on the qualified-user-id and those values are stored in the ‘business db’.
The _Can-* stuff is still where it is, and uses (if I remember right) the qualified user id too.
 
If you add roles that you want for ABL business logic authorization you need to check/enforce them yourself. The one exception is if you’re using PASOE and set up intercept-url (oeablSecurity.csv) authorization using roles.
 
 

All Replies

Posted by Peter Judge on 17-Apr-2018 11:20

You can do that in your “business data” db.  Think of those records as providing authorization based on an authenticated user.
 
The STS/OEAG will provide an authenticated user to the business db.   The business db can add the authoirzation rules based on the (qualified-)user-id and/or roles that are contained in the client-principal that comes from the STS/OEAG.
 
 

Posted by marekk on 17-Apr-2018 15:12

Hi, Peter. Where the authorization rules can be added? In Callback event class ?

I have no idea how to do that...

Posted by Peter Judge on 17-Apr-2018 15:26

The callbacks in the OEAG will allow you to add roles into the token that is returned.
 
The connection role authorization is based on the qualified-user-id and those values are stored in the ‘business db’.
The _Can-* stuff is still where it is, and uses (if I remember right) the qualified user id too.
 
If you add roles that you want for ABL business logic authorization you need to check/enforce them yourself. The one exception is if you’re using PASOE and set up intercept-url (oeablSecurity.csv) authorization using roles.
 

Posted by marekk on 17-Apr-2018 15:30

Ufff, it does not sound easy. Does any white paper come to your mind where I can find an example?

Many thanks,

Marek

Posted by Peter Judge on 18-Apr-2018 09:12

 
There is documentation on adding your own policies at  documentation.progress.com/.../configuring-policies.html .  Policies are for adding data to - or invalidating – a client-principal. Events work similarly but are simply for recording purposes.
 
 

This thread is closed