How to implement Client-principal into your application - Forum - OpenEdge RDBMS - Progress Community

How to implement Client-principal into your application

 Forum

How to implement Client-principal into your application

  • We have migrated our application from Progress 9.1E to Progress 10.2B.

    It is based on the smartObjects from the adm2. We are now starting the migration to Progress 11 and want to implement the Client-principal object into this application and on the database if I am correct on this.

    Is there a road map to implement this?

  • There is no formal documentation or road map to implement C-P in ADM2 (that I know of, anyway).

    However, if you have your own authentication/security modules that work with the ADM2 app, it should be relatively easy to add C-P , especially in 11.x. If you are looking for examples/ideas on how to add C-P generally to an application, there are some presentations at various PUG Challenges over the past couple of years, that are posted on the relevant sites (pugchallenge.org for the US conference, and pugchallenge.eu for the EMEA conference).

    -- peter

  • I was going to say, look for presentations by Peter Judge .... :)

    Consulting in Model-Based Development, Transformation, and Object-Oriented Best Practice  http://www.cintegrity.com

  • Thanks for the advise. Our current login procedure is as follow:

    The user is logging in with his userID, one of the user groupID he is a member of and his password.

    The user groupID is related to the business unit he needs to work in and the menu and program authorizations.

    How can we implement this with C-P.

    The users and passwords are stored in the _user table and an  application user table for additional user data like the default user group. in the user group table we have the identity of the business unit (company). And for the member ship of the user groups we have an additional table.

    Can i reuse this in C-P and or have add tables to the DB to implement C-P.The same user can login in with one of the member ships and he can change the membership during the session. The menu and program authorizations and business unit will change too.

    Should I implement the Security Domains for the user groups. And will this support the functionality of the member ships. And can it work when we later have to upgrade the application to a multy tendency (SAAS) solution.

    Peter Wokke  

    .

  • In 11.1 and up (the .1 is *very* important) managing this stuff becomes much easier. You can set up an authentication system that uses the _User table, and associate that with a domain. A domain seems to be what your groupID is. So yes, I would implement domains. One of the design goals of the OE implementation is that you can switch the domains' authentication system at runtime (ie if  you move from _User to your own db tables).

    The user would log in with credentials like username@groupid and provide a password. The domain (groupID) would know which authentication system to use (_User) and would authenticate based on that.  The user session would be asserted and you would have a C-P to work with.

    There's a session with a basic overview of the Identity management flow at pugchallenge.org/downloads.html (session 233). Direct link is pugchallenge.org/.../233_Basics_of_IM.pptx . This session talks about much of this stuff, and uses an application db table for user credentials.

    Using the C-P for authorisation requires some more work and thought on your part. The C-P has a ROLES property as well as some custom properties that you can use for this stuff. Note that once the C-P is sealed (ie on successsful login) you cannot change those values.

    I also did a session on some of these aspects at the same PCA (session #361; pugchallenge.org/.../361_Coding_with_IM.pptx ) which may provide some guidelines.

    Regards,

    -- peter

  • Peter thank you kindly for your response.

    I have tried to get to the download site.

    Only the files are not available from the site (get file not found error)..

    Now the databases of our customers have about 5 business units and over 35 GroupID's.

    If I setup GroupID as domains do they have to create the same userID in each of the domains they could work in or is the same userID as members of the selected domains.

    If we setup a multy tenant kind of SAAS environment and each tenant is greating about 25 GroupID we need a lot of domains.

    Have to see if other options could work better. List of his available roles and check the selected role of the connection moment to the appserver. Based on the token we can selection the business unit and the user authorizations.

    Hope you have some experience on this.      

    Regards, Peter.

  • The site were reorganised, and the new address for session 233 si:

    pugchallenge.org/.../233_Basics_of_IM.pptx