The vast majority of modern applications need some scheme of authentication/authorization. To cover these aspects, GeneXus provides a mechanism (called GeneXus Access Manager) to provide the products of a single, centralized scheme of everything related to authentication and authorization of an application.
The GeneXus Access Manager (GAM) provides APIs to manage all the security issues concerning an application. So the security module of any application (web applications and smart devices applications) is provided by GAM, and security controls are also done automatically by configuring Enable Integrated Security property.
GAM is based on Role Based Access Control (RBAC) model.
It provides a GAM API which has the implementation for all the functionalities related to security issues: users administration (registration, authentication, password administration, security policies), roles, etc.
It has its own Data Base, logically independent from the Data Base application, though they can both be physically the same (with different table schemes).
Final users (administrator users) can manage users and security policies through the GAM Web Backoffice.
GAM executes the reorganization in database using csharp, so in case of MySQL database, you need to install ADO client for Mysql (libmysql.dll is required, see MySql ADO Net Configuration). The same happens with Oracle, or any other DBMS; as the reorganization is done using csharp, you need the corresponding ADO client to connect to the DBMS.
In case that the GAM data store is different from Mysql or SQL Server database, a setup is launched from GeneXus IDE in order to install the GAM platform corresponding to the selected DBMS. See GAM platforms for more information. The setup is distributed in order to run it in a standalone mode, under <GeneXus>\Library\GAM\Setup folder.
In web applications, GAM uses the web session to store the information of the user session. As in any other web application in case of load balancing environments, the servers need to persist the session (or use server affinity) so as the web session is available in the workers which attend the request.