GAM - Security Policies

The following are some of the properties grouped by GeneXus Access Manager Security Policies (GAMSecurityPolicy GAM object):

• OAuth token expire (minutes)
• OAuth token maximum renovations
• Minimum Time to Change Passwords Security Policy
• Maximum Password History Entries
• Allow Multiple Concurrent Web Sessions Security Policy Property
• Web Session timeout
• MinimumNumericCharactersPassword
• MinimumUpperCaseCharactersPassword
• MinimumSpecialCharactersPassword

A GAM User can be assigned a security policy, as well as roles can be assigned a security policy also. Besides, a default security policy can be set for the GAM Repository.

The GAM security policies can be defined using GAM Web Backoffice, or programmatically using the GAM API. Using Web Backoffice the interface to add or update a security policy looks like the following figure:

Figure 1. Interface to add or update Security Policies

The decision on which security policy will be assigned to a user in runtime depends on the following precedence:

  1. The security policy associated to the user.

Each GAM user can have one security policy associated to him, or none.

Using GAM Web Backoffice go to WW Users, and edit the user properties (as shown in figure 2) to change his security policy.

Figure 2.

Programmatically, you can get the security policy of the user with SecurityPolicyId property of GAMUser object.

&User.Load(&UserId) //&User is GAMUser object, &UserId is GAMGUID data type
&SecurityPolicyId   = &User.SecurityPolicyId //&SecurityPolicyId is GAMKeyNumShort data type.

  2. If the user has no Security Policy associated, the Security Policy associated to the Main Role of the user.

If the user has no security policy, the policy taken in runtime will be the one associated to his Main Role. See GAM Main Role of a user for more information.
By editing the user properties in WW Users, you can see his main role (it's the only one which has no possibility to be set as Main Role).

Figure 3. Main Role of the User, in this example it's "Role1". 

By editing the role's properties, you can see the security policy of the role (which can be "none").

Figure 4. Security Policy assigned to a role

You can get the security policy of the role with SecurityPolicyId property of GAMRole object.

&Role.Load(&Id)//&Role is GAMRole, &Id is GAMKeyNumLong
&SecPolId = &Role.SecurityPolicyId //&SecPolId is GAMKeyNumShort data type

  3. If none of the previous, the default security policy of the Repository.

If the user has no security policy assigned, neither a main role, the security policy taken is the Default Security Policy of the Repository.

Figure 5. Default Security Policy of the Repository

The property DefaultSecurityPolicyId of GAMRepository object tells the default security policy of the repository.

&Repository.Load(&Id) //&Repository is GAMRepository, &Id is GAMKeyNumLong data type
&DefaultSecurityPolicyId  = &Repository.DefaultSecurityPolicyId //&DefaultSecurityPolicyId is GAMKeyNumShort data type

 

Notes:

• When setting a value higher than 0 for the property MinimumSpecialCharactersPassword, the following regular expression is used:

&UserPassword.Matches(!"[^\d\w]")

Which means:

\w [a-zA-Z0-9_] (literal or digit or underscore)
\d [0-9] (digit)
^ not 

So the regular expression means all that is NOT \d\w

See Also

GAM - Roles
GAM - Permissions
Security Session Management in Applications using GAM