GAM - Automatic Permissions generated by GeneXus

Official Content
This documentation is valid for:

In GeneXus Access Manager there are Permissions which are generated in F5 and checked in run time.

This article explains some topics concerning these permissions. 

In order to get the automatic permissions generated by GeneXus, you need to have the Integrated Security Level property set to Authorization value.

Automatic Permissions

By automatic permissions are those which are generated automatically by GeneXus, from the Permission Prefix you give to each object.
"Generating a permission" means that the permission is registered as a permission of the Application, so it will be available to assign it to any role if desired.

The code to check these permissions is included in the generated code, and the user only declares (though Permission Prefix Property) which is the permission which is going to be checked. In fact, he doesn't need to program anything, just to declare the permissions required to execute the object.

Automatic permissions can be described as follows:

1. Execution Permissions

Each object of the Knowledge Base (except Menu object) exposes permission of access.
This permission is named Execution Permission.

The name of this permission is <prefix>_Execute (where "prefix" is the Permission Prefix specified for the object).

So the following objects expose execution permission:

Objects for WEB applications:
  1.     Web objects with URL access (Web PanelWeb Components)
        As of GeneXus Evolution 3, any web object generates permissions (regardless it has URL access property = Yes or No)
    For example: assuming that the Permission Prefix is set to webpanel1, the permission named webpanel1_execute will be automatically generated in the WEB application.
  2.     REST Web Services (Procedure objects, Business Components, Data Provider objects exposed as REST Web Services)
  3.     Procedures HTTP (main Procedures with Call protocol property= HTTP)
  4.     Reporting objects: Dashboard and Query
Objects for Native Mobile applications:
  1.     Work With pattern and Work With objects
  2.     Panels, for example: assuming that the Permission Prefix is set to panel1, the permission named panel1_execute will be automatically generated in the Native Mobile application

2. Permissions for execution of the different modes of a Transaction

When you specify a permission prefix in any Web Transaction (suppose it´s "prefix"), a set of permissions are created in GAM Repository, named:

<prefix>_FullControl

    <prefix>_Execute
    <prefix>_Insert
    <prefix>_Update
    <prefix>_Delete

The <prefix>_execute permission enables the user to display the data of the Transaction (display mode).
If the user executes an action over the Transaction (Insert, Update or Delete) another permission will be required :

<prefix>_Insert
<prefix>_Update
<prefix>_Delete

There is a permission which "groups" the other permissions "<prefix>_FullControl". See Full Control Permissions for details.

3. "Services" Permissions

Business logic of Native Mobile applications is implemented using REST Web Services.
GeneXus Transactions, which allow the user to read (GET) and update data are implemented using REST services (Business Components exposed as REST) which expose CRUD methods.
That is why, enabling or forbidding a user to execute the different methods of a Business Component exposed as REST service, implies enabling or forbidding the user to the services encapsulated by this Business Component.

If "prefix" is the Permission Prefix of a Business Component exposed as REST, the following permissions are generated automatically:

<prefix>_Services_FullControl

    <prefix>_Services_Execute
    <prefix>_Services_Insert
    <prefix>_Services_Update
    <prefix>_Services_Delete

The <prefix>_Services_execute permission enables the user to read the data of the Business Component (read the data, which implies a GET HTTP over the REST service).

If the user executes an action over the Transaction (Insert, Update or Delete) another permission will be required:

<prefix>_Services_Insert (implies a PUT HTTP over the REST service)
<prefix>_Services_Update (implies a POST HTTP over the REST service)
<prefix>_Services_Delete (implies a DELETE HTTP over the REST service)

There is a permission which "groups" the other permissions: "<prefix>_Services_FullControl".

Where do you see the generated permissions?

In GAM Web Backoffice, you can see the generated permissions of an application, going through "Applications" and seeing the permissions of the selected application.

See Also

GAM - Permissions
GAM - Full Control Permissions and inheritance
GAM - Permissions Created by the User
GAM - Roles
GAM - Authorization Scenarios