GAM External Authorization

The objective here is to delegate the authorization to another process, external to GeneXus Access Manager.

The delegation of the authorization is specified for each GAM Application using the following method of the GAMApplication object:

&Application.IsAuthorizationDelegated = TRUE

For the application delegating the authorization to an external program, we must specify the following data:

  1. (Required) ClassName of the program implementing the authorization. For example, if the Genexus procedure is called "testdelegateauthorization2_v10", then the ClassName would be "atestdelegateauthorization2_v10".
  2. (Optional) FileName of the program implementing the authorization (dll/jar/class/rb) For example: "atestdelegateauthorization2_v10.class" or "atestdelegateauthorization2_v10.dll". It´s optional for java.
  3. (Optional) Package which corresponds to the external program. For the case of java, it is the value specified in Java Package Name Property (GeneXus X Evolution 2); for NET models it is the value of Net Application Namespace property; and for Ruby, the Code Namespace. This property is optional and depends on whether the external program has a package or not.
  4. Method. Here we specify the method to be executed. For Genexus programs it is always the "execute" method.
  5. Version of the external program. Currently, the supported version is 1.0.

Then the code would be the following:

&Application.IsAuthorizationDelegated = TRUE //&Application is GAMApplication data type.
&Application.DelegateAuthorization.ClassName = &GAMApplicationClassName
&Application.DelegateAuthorization.FileName = &GAMApplicationFileName
&Application.DelegateAuthorization.Method = &GAMApplicationMethod
&Application.DelegateAuthorization.Package= &GAMApplicationPackage  
&Application.DelegateAuthorization.Version = &GAMApplicationVersion //&GAMApplicationVersion is GAMExternalAuthorizationVersions data type.
Sample of authorization delegation configuration

Note that the GAM Examples do not include a web panel with this code, so you need to implement it.

About the external program which implements the Authorization

The external program may be generated with or without Genexus. The program receives a string parameter, in json format, and it must return a string parameter in json format or void.

The composition of the in parameter must be:

      GUID                   GAMGUID
      NameSpace              GAMRepositoryNameSpace
      AuthenticationTypeName GAMDescriptionShort
      Name                   GAMUserIdentification
      Login                  GAMUserLogin
      Email                  GAMEMail
      ExternalId             GAMUserIdentification
      FirstName              GAMDescriptionShort
      LastName               GAMDescriptionShort
      Birthday               GAMDate
      Gender                 GAMUserGender
   Roles              [collection]
      Id              GAMKeyNumLong
      ExternalId      GAMUserIdentification
      Id              GAMKeyNumLong
      GUID            GAMGUID
      Name            GAMDescriptionLong
      Name            GAMDescriptionLong

The composition of the out parameter must be:

   Authorized         GAMBoolean

Changing the GAM as the authorization manager to delegate the authorization to external programs is very simple and needs no programming.

The Automatic Permissions generated by GeneXus and the Permissions Created by the User (X Evolution 3) are all checked against the external program.

User data, roles, the application id, and the permission required for executing the object is passed automatically to the external program.

Download sample here.