The model design of GeneXus Access Manager enables to connect to multiple Repositories to solve many scenarios where only one GAM Repository wouldn't be enough.
In this document we explain the case of a multiple - repositories scenario (a company with different branches).
The same application is used by different branches of a company; it may happen that the application is deployed in a different web application for each branch (another possible scenario is that the same executables are used for all branches).
In both cases the users of the application are the same for all branches of the company, but users may have different privileges depending on the application branch they are connected to.
This is an scenario where multiple Repositories can be used as a solution, taking into consideration that the company has different branches, and users have different GAM Security Policies, GAM Roles and GAM Permissions depending on the branch where the application runs.
There' s no need to define one GAM database for each branch, because users would need to be redundant in each GAM database in that case.
By defining a Repository for each branch, users are the same (and defined only once) in GAM database. Because of the GAM Repository model design, a user can be enabled to many Repositories if the user has the same Namespace as the Repository Namespace where he is enabled. See Users enabled or disabled in the GAM Repository for details.
All the Repositories will have the same set of WEB GAM Applications defined (or at least will share a common set of GAM Applications). GAM Applications group permissions.
Besides the following is fulfilled:
- If the application is deployed in the same web app for all branches, connection.gam file under the virtual directory (or under the web-inf directory of the webapp in case of java) has n entries, each pointing to a different GAM Repository Connection. Otherwise, each web application of each branch has its connection.gam with the corresponding GAM Repository Connection.
- application.gam file under the virtual directory (or under the web-inf directory of the webapp in case of java) references the Application Id which corresponds to the KB of the application.
1. Create a GAM Repository for each branch, the Repository Namespace should be the same in all of them, so as the users are shared in all the Repositories.
Take into consideration that in order to create a Repository "B" with the same namespace as Repository "A", you need to have a GAM Repository Connection in connection.gam pointing to the Repository "A". This is is a security requirement.
2. Use the GAM Deploy Tool to export the data of one Repository application, and import it into another one (in particular GAM Applications and GAM Roles).
3. Create the connection.gam for each application, using GAMDeployTool, see GAMDeployTool:Creating connection.gam file.
If a web application is deployed for each branch, each web application will have its own connection.gam file including the GAM Repository Connection to the corresponding Repository. In this case there's no need to do any special programming in order to connect to the GAM Repository.
In case the executables are shared by all the branches, the connection.gam will include all the GAM Repository Connections. In this case you need to set programmatically the corresponding GAM Repository Connection. See HowTo: Get and Set GAM Repository Connections.
HowTo: Managing repositories using an admin user