In GeneXus Access Manager there are GAM Permissions which are generated in F5 and checked in run time. This article explains some topics concerning these permissions.
You need to have the Integrated Security Level property set to Authorization value.
By automatic permissions are those which are generated automatically by GeneXus, from the Permission Prefix you give to each object.
"Generating a permission" means that the permission is registered as a permission of the GAM Application, so it will be available to assign it to any role if desired.
The code to check these permissions is included in the generated code, and the user only declares (though Permission Prefix Property) which is the permission which is going to be checked, in fact, he doesn't need to program anything, just to declare the permissions required to execute the object.
Automatic permissions can be described as follows:
Each object of the KB (except Menu object) exposes permission of access.
This permission is named Execution Permission.
The name of this permission is <prefix>_Execute (where "prefix" is the Permission Prefix specified for the object).
So the following objects expose execution permission:
- Web objects with URL access (Web Panel, Web Components).
As of GeneXus Evolution 3, any web object generates permissions (regardless it has URL access property = Yes or No).
For example: assuming that the Permission Prefix is set to webpanel1, the permission named webpanel1_execute will be automatically generated in the WEB application.
- REST Web Services (Procedure objects, Business Components, Data Provider objects exposed as REST Web Services).
- Procs HTTP (main procs with call protocol = HTTP).
- Work With pattern and Work With object objects
- Panel for Smart Devices, for example: assuming that the Permission Prefix is set to SDpanel1, the permission named sdpanel1_execute will be automatically generated in the SD application.
When you specifiy a permission prefix in any Web Transaction (suppose it´s "prefix"), a set of permissions are created in GAM Repository, named:
The <prefix>_execute permission enables the user to display the data of the Transaction (display mode).
If the user executes an action over the trn (insert, update or Delete) another permission will be required :
There is a permission which "groups" the other permissions "<prefix>_FullControl". See Full Control Permissions for details.
Business logic of SD applications is implemented using REST Web Services.
GeneXus Transactions, which allow the user to read (GET) and update data are implemented using REST services (Business Components exposed as REST) which expose CRUD methods.
That is why enabling or forbidding a user to execute the different methods of a Business Component exposed as REST service, implies enabling or forbidding the user to the services encapsulated by this Business Component.
If "prefix" is the Permission Prefix of a Business Component exposed as REST, the following permissions are generated automatically:
The <prefix>_Services_execute permission enables the user to read the data of the Business Component (read the data, which implies a GET HTTP over the REST service).
If the user executes an action over the Transaction (insert, update or Delete) another permission will be required :
<prefix>_Services_Insert (implies a PUT HTTP over the REST service)
<prefix>_Services_Update (implies a POST HTTP over the REST service)
<prefix>_Services_Delete (implies a DELETE HTTP over the REST service)
There is a permission which "groups" the other permissions: "<prefix>_Services_FullControl".
In GAM Web Backoffice, you can see the generated permissions of an application, going through "Applications" and seeing the permissions of the selected application.
GAM - Permissions
GAM - Full Control Permissions and inheritance
GAM - Permissions Created by the User
GAM - Roles
GAM - Authorization Scenarios