Show how to configure permissions over web transaction modes, so only authorized users can view the transaction's data (execute the transaction in display mode); insert, update, or delete data of the web transaction.
GAM defines automatic permissions which include permissions to execute the web transaction (DSP), and one permission for each mode INS, UPD, DLT.
The name of the permissions are determined from the Permission Prefix property value set in the web transaction properties (as shown in Figure 1).
In runtime, these permissions are checked automatically, and the GeneXus user just needs to declare the Permission Access Type in GAM Backend.
The process at execution time consists on validating if the user has rights to execute the web transaction object. In this case GAM checks that the user has <prefix>_execute permission (where prefix is the Permission Prefix defined for the transaction). So the <prefix>_execute permission enables the user to display the data of the transaction (display mode).
If the user executes an action over the transaction (Insert, Update or Delete) another permission will be required :
In fact there is a permission which "groups" the other permissions (see Full Control Permissions for more details):
Let's suppose we have a "product" web transaction, where some users will have access rights to execute the web transaction, but not to insert, update, or delete data.
Just follow this steps:
1. Check that Enable Integrated Security Property is set to TRUE at version level of the KB, and Integrated Security Level Property is set to Authorization at version level or at least for the transaction object properties.
Check also that Permission Prefix property of "product" web transaction is set to any value (in this example the Permission Prefix property is set to "product", as shown in figure 1).
2. Define a role where the permissions mentioned above are specified with their corresponding Permission Access Type.
3. The users need to be associated to the role newly created.
In this example WW pattern has been associated to product transaction.
The user associated to the role defined previously, will be able to execute wwproduct webpanel, and select products from the list in order to view the data.
When the user tries to update or delete an existing product, or insert a new product, the Not Authorized Object for Web object will be called, as seen in the following figures (if the transaction does not receive KEY and Mode as parameters, the permission error is shown using the Error Viewer).
Full Control Permissions and inheritance
GAM Authorization Scenarios