OE STS Gateway a few questions - Forum - OpenEdge RDBMS - Progress Community

OE STS Gateway a few questions

 Forum

OE STS Gateway a few questions

This question is answered

Hi,

I have some basic questions regarding OE Authentication Server.

In db we could create table and field privileges for specified users and than make it active at runtime.

How to add such roles in the sts server?

What is the biggest benefit of sts server except of using system domain users authenticated in the db?

Thanks,

Marek

Verified Answer
  • The callbacks in the OEAG will allow you to add roles into the token that is returned.
     
    The connection role authorization is based on the qualified-user-id and those values are stored in the ‘business db’.
    The _Can-* stuff is still where it is, and uses (if I remember right) the qualified user id too.
     
    If you add roles that you want for ABL business logic authorization you need to check/enforce them yourself. The one exception is if you’re using PASOE and set up intercept-url (oeablSecurity.csv) authorization using roles.
     
All Replies
  • You can do that in your “business data” db.  Think of those records as providing authorization based on an authenticated user.
     
    The STS/OEAG will provide an authenticated user to the business db.   The business db can add the authoirzation rules based on the (qualified-)user-id and/or roles that are contained in the client-principal that comes from the STS/OEAG.
     
     
  • Hi, Peter. Where the authorization rules can be added? In Callback event class ?

    I have no idea how to do that...

  • The callbacks in the OEAG will allow you to add roles into the token that is returned.
     
    The connection role authorization is based on the qualified-user-id and those values are stored in the ‘business db’.
    The _Can-* stuff is still where it is, and uses (if I remember right) the qualified user id too.
     
    If you add roles that you want for ABL business logic authorization you need to check/enforce them yourself. The one exception is if you’re using PASOE and set up intercept-url (oeablSecurity.csv) authorization using roles.
     
  • Ufff, it does not sound easy. Does any white paper come to your mind where I can find an example?

    Many thanks,

    Marek

  •  
    There is documentation on adding your own policies at  documentation.progress.com/.../configuring-policies.html .  Policies are for adding data to - or invalidating – a client-principal. Events work similarly but are simply for recording purposes.