Automatic Permissions generated by GeneXus

In GeneXus Access Manager there are GAM Permissions which are generated in F5 and checked in run time. This paper we'll explain some topics concerning these permissions. 

We are assuming that you have Integrated Security Level property set to Authorization value.

Automatic Permissions

By automatic permissions we mean those which are generated automatically by GeneXus, from the Permission Prefix we give to each object.
"Generating a permission" means that the permission is registered as a permission of the Application, so it will be available to assign it to any role if desired.

The code to check these permissions is included in the generated code, and the user only declares (though Permission Prefix Property) which is the permission which is going to be checked, in fact he doesn't need to program anything, just to declare the permissions required to execute the object.

Automatic permissions can be described as follows:

1. Execution Permissions

Each object of the KB (except Dashboard object) exposes a permission of access.
This permission is named Execution Permission.

The name of this permission is <prefix>_Execute (where "prefix" is the Permission Prefix specified for the object).

So the following objects expose an execution permission:

Objects for WEB applications:
  1.     Web objects with URL access (web panels, web transactions, web components).
        As of GeneXus Evolution 3, any web object generates permissions (regardless it has URL Access Property = Yes or No).
    Ie. assuming that the Permission Prefix is set to webpanel1, the permission named webpanel1_execute will be automatically generated in the WEB application.
  2.     REST Web Services (procedures, business components, dataproviders exposed as REst web services).
  3.     Procs HTTP (main procs with call protocol = HTTP).
Objects for SD applications:
  1.     Work With for Smart Devices object objects
  2.     Panels for Smart Devices Ie. assuming that the Permission Prefix is set to SDpanel1, the permission named sdpanel1_execute will be automatically generated in the SD application.

2. Permissions for execution of the different modes of a transaction

When you specifiy a permission prefix in any web transaction (let´s suppose it´s "prefix"), a set of permissions are created in GAM Repository, named:

<prefix>_FullControl

    <prefix>_Execute
    <prefix>_Insert
    <prefix>_Update
    <prefix>_Delete

The <prefix>_execute permission enables the user to display the data of the transaction (display mode).
If the user executes an action over the trn (insert, update or Delete) another permission will be required :

<prefix>_Insert
<prefix>_Update
<prefix>_Delete

There is a permission which "groups" the other permissions "<prefix>_FullControl". See Full Control Permissions for details.

3. "Services" Permissions

Business logic of SD applications is implemented using REST Web Services.
GeneXus transactions, which allow the user to read (GET) and update data are implemented using REST services (Business Components exposed as REST) which expose CRUD methods.
That´s why enabling or forbidding a user to execute the different methods of a Business Component exposed as REST service, implies enabling of forbidding the user to the services encapsulated by this Business Component.

If "prefix" is the Permission Prefix of a Business Component exposed as REST, the following permissions are generated automatically:

<prefix>_Services_FullControl

    <prefix>_Services_Execute
    <prefix>_Services_Insert
    <prefix>_Services_Update
    <prefix>_Services_Delete

The <prefix>_Services_execute permission enables the user to read the data of the Business Component (read the data, implies a GET HTTP over the REST service).

If the user executes an action over the trn (insert, update or Delete) another permission will be required :

<prefix>_Services_Insert (implies a PUT HTTP over the REST service)
<prefix>_Services_Update (implies a POST HTTP over the REST service)
<prefix>_Services_Delete (implies a DELETE HTTP over the REST service)

There is a permission which "groups" the other permissions : "<prefix>_Services_FullControl".

Where do I see the generated permissions?

In GAM Web Backoffice, you can see the generated permissions of an application, going through "Applications" and seeing the permissions of the selected application.

See Also

GAM Permissions
Full Control Permissions and inheritance
Permissions Created by the User (X Evolution 3)
GAM Roles
GAM Authorization Scenarios