Table of contents


Official Content

As a security component, GAM can be used by different applications (which can be Native Mobile applications, Web applications, or even Web Services).

Conceptually, GAM applications group Permissions which are related to GeneXus objects.

GAM Applications that are automatically generated
 

  • WEB GAM application

    If the Knowledge Base has at least one web environment, a WEB GAM application is automatically generated including the permissions of all the web objects of the KB. This WEB GAM application is identified with a GUID assigned in the Application ID property. The name of the WEB GAM application is the name of the KB.  

    The information of the WEB GAM application GUID is stored in the application.gam file, which is saved in the model directory and must be included in the deployment.

    Note that only one WEB GAM application is automatically generated for the KB even if it has N environments.
     
  • GAM applications associated with each Native Mobile / Angular Main Object 
     
    For each main object (like Menus or Panels) a GAM application is automatically generated.


GAM applications are defined within a repository. Each repository can contain more than one GAM application.

Additionally, one Repository can store more than one GAM WEB application because from different KBs you can use a different Application Id to create a different GAM WEB application in the same repository.

What is the purpose of GAM applications?

First, the GAM application is checked at runtime at the moment of user authentication.

Another purpose of defining GAM applications within the GAM repository is to associate Permissions to these applications and to form groups of permissions.

At runtime, permissions are checked considering the application which is being executed. So, when the user logs in to a repository, and a permission is needed to execute an action, the permission must be defined in the GAM application he is executing (and he needs to have a role where this permission is allowed).

So the permissions which can be associated to a GAM application are all related in some sense.

By default, when F5 processes permissions, the following GAM applications are created in the repository:

  • A GAM application for the WEB application of the KB. The WEB GAM application groups the permissions of all the web objects of the KB and its descendants.
  • A GAM application for each main object for Native Mobile applications. The application groups the permissions of this main object and its descendants. So if you have Dashboard1, and Dashboard2 which are main, there will be a GAM application for each of them.

How can I work with GAM applications?

Each GAM application is identified by a GAM application GUID, and has "Client Application data": Client Id and Client Secret information.

You can see the running GAM Backend as an administrator, all the available GAM applications for the repository you've connected to, and you can also define new applications. See figure 1.

GAM - New application v18

Figure 1.

Note: To add a new application, you have to click on "Applications" and then click on the "Add" button.

What happens at runtime?

When the user executes a web object, the GAM application Identifier is taken from application.gam file located in the virtual directory. See Application ID property in order to understand how this ID is automatically generated.

If the user executes a GeneXus object for Native Mobile and Angular application, the GAM application is identified by its "Client Application data" (Client Id and Client Secret information). See Secure Native Mobile applications architecture to understand how this information is used at a low level, using OAuth protocol.

Notes:

  • The "Client Application data" of GAM applications which have web object permissions is not used in GeneXus Evolution 3.
  • At present only one Application ID property is referenced in application.gam file so all the permissions related to web objects have to be grouped in the same WEB GAM application in the web application deployment. Although you can have more than one WEB GAM application in a repository, you need to deploy a different web application for each of them.

See Also

GAM - Permissions
GAM - Repository Connections
GAM - Repository
Require Access Permissions Application Property

Last update: February 2024 | © GeneXus. All rights reserved. GeneXus Powered by Globant