When GXflow is integrated with GeneXus Access Manager (GAM), all user and role management (regarding security issues) are delegated to GAM. Even if GAM stores the information on Roles and Users, that information is stored in the GXflow tables as well.
As a consequence, Users and Roles have to be synchronized from GAM to GXflow or vice versa, to guarantee the right flow of the application. Roles are necessary for the GeneXus IDE to be assigned to Tasks. Users and roles need to be synchronized in GAM to handle the application security, and in the GXflow tables to assign the different scheduled tasks.
Synchronization can be made globally (synchronize a group of users and roles and their relation in any direction: from GXflow to GAM or vice versa), or it can be made interactively.
When the developer integrates GXflow with GAM, It will use only one kind of authentication, the one set as default in the repository configuration. Remember that GAM with Custom Authentication checks external credentials (e.g. through LDAP
). Those developers who use the Workflow APIs
for managing users must ensure that they are provided by the credentials provider
|From GAM to GXflow
||From GXflow to GAM
|1. Synchronization is made "on demand" when a GAM user connects to GXflow.
In this case, it is checked whether the User is registered in the GAM repository (in addition, it checks the "gxflow public" role). If it does not exist, it will be created within the GXflow context and roles will be assigned or synchronized with the existing ones.
|1. Users, roles, and their relation are synchronized to GAM by running the apwfmigrateuserstogam procedure (manual synchronization).
|2. Users are globally synchronized to GXflow by running the apwfsynchronizegamusers procedure (manual synchronization).
||2. Synchronization is automatically executed in the Build process.
=== Migrate workflow users to GAM started ==========
Migrate workflow users to GAM Success
- Limitation: When a GAM username is modified, GXflow treats it as a new user during the synchronization. In such case, both usernames will coexist in GXFlow (the recently updated and the old one), but only the recently updated will correspond to the GAM user.
|From GAM to GeneXus IDE
||From GeneXus IDE to GAM
|1. When the Knowledge Base is opened, Roles created in the GAM will be created in the GeneXus IDE.
You can see the roles through the Workflow Preferences >
BPD Roles option. In this case, GAM to GeneXus synchronization is automaticallyperformed when the KB is opened.
|1. The automatic synchronization of Roles from GeneXus to GAM is done:
You will notice the following messages on the Build output:
- the first time the KB is opened,
- at Build all,
- at Rebuild all,
- at deployment.
===Export roles to GAM started ===
Role RoleName1 successfully exported
Role RoleName2 successfully exported
Export roles to GAM Success
2. A manual synchronization of roles can only be done by running the apwfmigraterolestogam procedure.
This is available as from GeneXus X Evolution 3 Upgrade 5.
|2. Synchronization can also be forced using the option Tools -> Workflow Tools -> Synchronize GAM roles option
||3. Synchronization can also be forced using the option Tools -> Workflow Tools -> Synchronize GAM roles option
- As of GeneXus 15 Upgrade 4, the synchronization process is bidirectional. That means that every CRUD operation over the GAM roles is reflected automatically in GXFlow roles, and vice versa. Previous versions the synchronization is additive only (e.g. a role deleted from GAM, it won't be deleted from GXFlow).
- To disable automatic synchronization, you can use the config.gx (If the file doesn´t exist, you need create the file in the Model directory) with property DisableGamRolesSync=true.
To run a manual synchronization, use the following command lines:
The synchronization procedures are located in the \bin folder. You may run them as follows:
The synchronization procedures are located in the <application>\WEB-INF\classes\com\gxflow folder. To run them, set the current working directory to "\classes" level folder and execute them as follows:
C:\..\<application>\WEB-INF\classes>java -cp ".;..\lib\*" com.gxflow.apwfmigrateuserstogam
C:\..\<application>\WEB-INF\classes>java -cp ".;..\lib\*" com.gxflow.apwfmigraterolestogam
C:\..\<application>\WEB-INF\classes>java -cp ".;..\lib\*" com.gxflow.apwfsynchronizegamusers
When using Java, make sure you have the connection.gam file under C:\..\<application>\WEB-INF\classes. Otherwise, these error messages will be displayed: "Invalid GAM repository, GXflow roles required" error or "Error 2: Repository not found. Please contact the application administrator".
See Troubleshooting the GXflow-GAM manual synchronization
In versions older than GeneXus X Evolution 3 Upgrade 6, you need to use both the GXflow API and the GAM API to handle users and roles.
As from GeneXus X Evolution 3 Upgrade 6, the GXflow API to handle users and roles directly impacts on GAM users and roles. See GXFlow API integrated to GAM. As a consequence, you just need to use the GXflow API of the GXflow management console.
You can add users and roles from the GAM back office. Note that, when adding the "GXflow Public" role to a user, GXflow will try a user nomination during the login operation for that user (if the user has not been nominated yet).
- As of GeneXus 15 Upgrade 4, every CRUD operation over users and roles in GAM Backend are automatically reflected in GXFlow Client, and vice versa.
Those developers who use previous versions of GeneXus are restricted to handle users and roles manually by using GXFlow API integrated to GAM.
GXflow - GAM Initialization
GXflow Custom Client with GAM
Business Process Deployer