GXflow - GAM Integration

Official Content
This documentation is valid for:

When GXflow is integrated with GeneXus Access Manager (GAM), all user and role management (regarding security issues) are delegated to GAM. Even if GAM stores the information on Roles and Users, that information is stored in the GXflow tables as well.

As a consequence, Users and Roles have to be synchronized from GAM to GXflow or vice versa, to guarantee the right flow of the application. Roles are necessary for the GeneXus IDE to be assigned to Tasks. Users and roles need to be synchronized in GAM to handle the application security, and in the GXflow tables to assign the different scheduled tasks.

Synchronization can be made globally (synchronize a group of users and roles and their relation in any direction: from GXflow to GAM or vice versa), or it can be made interactively.

Warning: When the developer integrates GXflow with GAM, It will use only one kind of authentication, the one set as default in the repository configuration. Remember that GAM with Custom Authentication checks external credentials (e.g. through LDAP). Those developers who use the Workflow APIs for managing users must ensure that they are provided by the credentials provider.


Global Synchronization of Users and Roles

1. User synchronization

From GAM to GXflow From GXflow to GAM
1. Synchronization is made "on-demand" when a GAM user connects to GXflow.
In this case, it is checked whether the User is registered in the GAM repository (in addition, it checks the "gxflow public" role). If it does not exist, it will be created within the GXflow context and roles will be assigned or synchronized with the existing ones.
1. Users, roles, and their relations are synchronized to GAM by running the apwfmigrateuserstogam procedure (manual synchronization).
2. Users are globally synchronized to GXflow by running the apwfsynchronizegamusers procedure (manual synchronization). 2. Synchronization is automatically executed in the Build process.
=== Migrate workflow users to GAM started ==========
Migrate workflow users to GAM Success


  • Limitation: When a GAM username is modified, GXflow treats it as a new user during the synchronization. In such a case, both usernames will coexist in GXFlow (the recently updated and the old one), but only the recently updated will correspond to the GAM user.


2. Role Synchronization

From GAM to GeneXus IDE From GeneXus IDE to GAM
1. When the Knowledge Base is opened, Roles created in the GAM will be created in the GeneXus IDE.
You can see the roles through the Workflow Preferences >
BPD Roles option. In this case, GAM to GeneXus synchronization is automatically performed when the KB is opened.
1. The automatic synchronization of Roles from GeneXus to GAM is done:
  • the first time the KB is opened,
  • at Build all,
  • at Rebuild all, 
  • at deployment.
You will notice the following messages on the Build output:
===Export roles to GAM started ===
Role RoleName1 successfully exported
Role RoleName2 successfully exported
Export roles to GAM Success

2. Manual synchronization of roles can only be done by running the apwfmigraterolestogam procedure.
This is available since GeneXus X Evolution 3 Upgrade 5.

2. Synchronization can also be forced using the option Tools -> Workflow Tools -> Synchronize GAM roles option 3. Synchronization can also be forced using the option Tools -> Workflow Tools -> Synchronize GAM roles option


  • As of GeneXus 15 Upgrade 4, the synchronization process is bidirectional. That means that every CRUD operation over the GAM roles is reflected automatically in GXFlow rolesand vice versa. Previous versions the synchronization is additive only (e.g. a role deleted from GAM, it won't be deleted from GXFlow).
  • To disable automatic synchronization, you can use the config.gx (If the file doesn´t exist, you need to create the file in the Model directory) with property DisableGamRolesSync=true.


How to run a manual synchronization

To run a manual synchronization, use the following command lines:


The synchronization procedures are located in the \bin folder. You may run them as follows:





The synchronization procedures are located in the <application>\WEB-INF\classes\com\gxflow folder. To run them, set the current working directory to "\classes" level folder and execute them as follows:

C:\..\<application>\WEB-INF\classes>java -cp ".;..\lib\*" com.gxflow.apwfmigrateuserstogam

C:\..\<application>\WEB-INF\classes>java -cp ".;..\lib\*" com.gxflow.apwfmigraterolestogam

C:\..\<application>\WEB-INF\classes>java -cp ".;..\lib\*" com.gxflow.apwfsynchronizegamusers

When using Java, make sure you have the connection.gam file under C:\..\<application>\WEB-INF\classes. Otherwise, these error messages will be displayed:

"Invalid GAM repository, GXflow roles required" error or "Error 2: Repository not found. Please contact the application administrator".
​​​​​​java -cp ".;..\lib\*" com.gxflow.apwfsynchronizegamusers
Invalid GAM repository, GXflow roles required
java -cp ".;..\lib\*" com.gxflow.apwfmigraterolestogam
Role: GXflow Public
Error 30: The connection to GAM was not found. Please contact the application administrator.
Role: All

See Troubleshooting the GXflow-GAM manual synchronization  


Interactive synchronization of Users and Roles

In versions older than GeneXus X Evolution 3 Upgrade 6, you need to use both the GXflow API and the GAM API to handle users and roles.

Since GeneXus X Evolution 3 Upgrade 6, the GXflow API to handle users and roles directly impacts on GAM users and roles. See GXFlow API integrated to GAM. As a consequence, you just need to use the GXflow API of the GXflow management console.

User Nomination

You can add users and roles from the GAM back office. Note that, when adding the "GXflow Public" role to a user, GXflow will try a user nomination during the login operation for that user (if the user has not been nominated yet).


Since GeneXus 15 Upgrade 4:

  • When adding the "GXflow Public" role to a user, it is created and if there is a nominated license available, it is tried to be nominated, too. In the case that a user is not created and you use the GXFlow API integrated to GAM or during the login operation, it will be created (if it does not exist) and attempted to be nominated.

  • Every CRUD operation over users and roles in GAM Backend are automatically reflected in GXFlow Client, and vice versa. If you use previous GeneXus versions you are restricted to handle users and roles manually by using GXFlow API integrated to GAM.

See Also

GXflow - GAM Initialization
GXflow Custom Client with GAM
Business Process Deployer