Image

Sign upLogin

Settings

Change Password

Logout

GeneXus Access Manager (GAM)

Table of contents

Page Id

Built-in Security Module
Authentication
- Authentication Scenarios
- Native Mobile Authentication
- Authentication flow with an external OAuth2.0 provider
- Authentication Types
  - Local
  - Built-in
  - OAuth 2.0
    - How to configure
    - Samples
  - OpenID Connect
    - How to configure
    - Samples
      - HowTo: Authenticate to Azure AD using OpenID Connect with GAM
      - HowTo: Authenticate to Google using OpenID Connect with GAM
  - SAML 2.0
    - How to configure
    - Generating certificates
    - Samples
      - SAP
      - Agesic
      - Okta
      - Azure
  - OTP - One Time Password
    - How to configure
  - 2FA - Two Factor Authentication
    - How to configure
      - Two Factor Authentication
      - Two factor Authentication for mobile
  - External
  - Custom
    - Samples
      - LDAP
      - Windows
- Impersonation
- SSO
Authorization
- Authorization Scenarios
  - Roles
    - Main Role of a user
    - HowTo: Manage Roles through external authentication programs
  - Permissions
Users
Repository
Sessions
Security Policies
Events subscription
Deployment
Services
Advanced
Compatibility
Troubleshooting
Media
- GeneXus Access Manager in the media
Hardening of GeneXus Systems and Deployments
- Good practices for secure development
- Configuration for secure deployment

Permission Access Type

This documentation is valid for:
GeneXus 18 Help
GeneXus 17 Help
GeneXus 16 Help
GeneXus 15 Help

The Access Type of a permission defines the permission level available: Allow, Restricted, and Deny. It's assigned at different levels:

Application level.
Each of the GAM Permissions of the Repository has an Access Type defined at GAM Application level, where a Default Access Type for each permission is defined. See Update GAM Application Permissions.
At role level.
When GAM Permissions are assigned to roles, they are defined with an Access Type. See Update GAM Role Permissions.
Permissions are granted to the user.
When GAM Permissions are assigned to users, they are defined with an Access Type. See Update GAM User Permissions.

The Access Type of a permission defined at all levels will be used to determine the final permissions for each user.

A permission Access Type at Application level is a default access type and is overridden by the Access Type of the same permission in some role the user is associated with. In turn, the Access Type of the permission which is granted directly to the user overrides the Access Type of the permission at Role level.

This document explains the meaning of permission Access Type depending on where the permission is defined.

Default Access Type of a permission at Application level

The Access type of a permission (specified at Application level) is the default value. It means that this is the access type of this permission for any user unless there is an exception that overrides this default.

Restricted:

It implies that only users who have this permission granted with Access Type = Allow or have some role where this permission is allowed, have the corresponding rights. That is to say, the user doesn't have this permission by default.

Example:

1. In the following figure, the permission associated with the selection list for customers is restricted. The list of Application permissions can be seen using the GAM Backend.

Figure 1.

2. Since the user has not been granted this permission and has no roles where this permission is "allowed", the execution on the selection list for customers will fail with an Authorization error.

Figure 2.

Allow:

This access type enables the permission to everyone by default. Users who have this permission granted with Access Type = restricted or denied, or have some role where the permission is restricted or denied, won't have this permission.

Example:

1. In the following figure, the permission associated with the selection list for products (gx0010_Execute permission) has "Default Access Type"= Allow.

Figure 3.

2. This means that the user who has "RoleSample" has access rights to execute object gx0010, even though "RoleSample" doesn't have gx0010_Execute permission. See figure 4 where the user roles are shown, and figure 5 where the permissions of this role are listed.

Figure 4.

Figure 5.

As a consequence of what was previously explained, the user has the permission gx0010_Execute.

Access Types of permissions at Role level

Allow:

A user who has a role with a permission of Access Type = Allow will have this permission unless he has been given this permission with Access Type = Deny, or has another role where the same permission is denied.

Deny:

A user who has a role with a permission of Access Type = Deny won't have this permission, regardless if the permission is allowed at application level (by default) or if he has another role where the permission is allowed. The only way in which the user can be granted this permission is with Access Type = Allow.

Restricted:

If a permission is restricted to a user's role, he doesn't have this permission unless the user is granted this permission with Access Type = Allow or has another role where the same permission is allowed.

Access Types of permissions assigned to the user

The permissions assigned to the user have precedence over the permissions assigned through user roles. That means, for example, that if a user has a permission that has been directly assigned to him, which has Access Type = Allow, this permission overrides any permission which has Access Type = Deny at role level for any role the user is associated with.

Summary

The following figure provides a graphical explanation of how Role permissions are given to users depending on the Access Type of these permissions. In this case, we are not considering if the user has permissions directly assigned to him.

Permission Default Access Type Application level	Permission Access Type Role level	Behavior	Permission Access Type Role level	Behavior	Permission Access Type Role level	Behavior
Allow	Allow (only one role)	Has permission	Allow (at least one role) & Restricted (any roles)	Has permission	Deny (at least one role) & Restricted or Allow (any roles)	Has No permissions
	Restricted (only one role)	Has No permission	Allow (at least one role) & Restricted (any roles)	Has permission
	Deny (only one role)	Has No permission
	No roles with this permission	Has permission
Restricted	Allow (only one role)	Has permission	Allow (at least one role) & Restricted (any roles)	Has permission	Deny (at least one role) & Restricted or Allow (any roles)	Has No permissions
	Restricted (only one role)	Has No permission	Allow (at least one role) & Restricted (any roles)	Has permission
	Deny (only one role)	Has No permission
	No roles with this permission	Has No permission

Page Id

—

Created: 9 November 2012 - Last update: 21 July 2023 by jpromero

Backlinks

See all