In GeneXus Access Manager there are GAM Permissions which are generated in F5 and checked in run time. This paper we'll explain some topics concerning these permissions.
We are assuming that you have Integrated Security Level property set to Authorization value.
By automatic permissions we mean those which are generated automatically by GeneXus, from the Permission Prefix we give to each object.
"Generating a permission" means that the permission is registered as a permission of the Application, so it will be available to assign it to any role if desired.
The code to check these permissions is included in the generated code, and the user only declares (though Permission Prefix Property) which is the permission which is going to be checked, in fact, he doesn't need to program anything, just to declare the permissions required to execute the object.
Automatic permissions can be described as follows:
Each object of the KB (except Menu object) exposes permission of access.
This permission is named Execution Permission.
The name of this permission is <prefix>_Execute (where "prefix" is the Permission Prefix specified for the object).
So the following objects expose execution permission:
- Web objects with URL access (web panels, web transactions, web components).
As of GeneXus Evolution 3, any web object generates permissions (regardless it has URL access property = Yes or No).
Ie. assuming that the Permission Prefix is set to webpanel1, the permission named webpanel1_execute will be automatically generated in the WEB application.
- REST Web Services (Procedure objects, Business Components, Data Provider objects exposed as REst web services).
- Procs HTTP (main procs with call protocol = HTTP).
- Work With for Smart Devices object objects
- Panels for Smart Devices Ie. assuming that the Permission Prefix is set to SDpanel1, the permission named sdpanel1_execute will be automatically generated in the SD application.
When you specifiy a permission prefix in any web transaction (let´s suppose it´s "prefix"), a set of permissions are created in GAM Repository, named:
The <prefix>_execute permission enables the user to display the data of the transaction (display mode).
If the user executes an action over the trn (insert, update or Delete) another permission will be required :
There is a permission which "groups" the other permissions "<prefix>_FullControl". See Full Control Permissions for details.
Business logic of SD applications is implemented using REST Web Services.
GeneXus transactions, which allow the user to read (GET) and update data are implemented using REST services (Business Components exposed as REST) which expose CRUD methods.
That´s why enabling or forbidding a user to execute the different methods of a Business Component exposed as REST service, implies enabling of forbidding the user to the services encapsulated by this Business Component.
If "prefix" is the Permission Prefix of a Business Component exposed as REST, the following permissions are generated automatically:
The <prefix>_Services_execute permission enables the user to read the data of the Business Component (read the data, which implies a GET HTTP over the REST service).
If the user executes an action over the Transaction (insert, update or Delete) another permission will be required :
<prefix>_Services_Insert (implies a PUT HTTP over the REST service)
<prefix>_Services_Update (implies a POST HTTP over the REST service)
<prefix>_Services_Delete (implies a DELETE HTTP over the REST service)
There is a permission which "groups" the other permissions: "<prefix>_Services_FullControl".
In GAM Web Backoffice, you can see the generated permissions of an application, going through "Applications" and seeing the permissions of the selected application.
Full Control Permissions and inheritance
Permissions Created by the User (X Evolution 3)
GAM Authorization Scenarios