As a security component, GAM can be used by different applications (which can be Smart Device applications, Web applications, or even Web Services).
Conceptually, GAM applications group Permissions which are related to GeneXus objects.
- WEB application
If the GeneXus KB has a web environment, it has only one WEB GAM application, which is identified by a GUID configured in Application Id property. The name of the WEB application is the name of the KB and includes the permissions of all the web objects of the KB. The information of the WEB GAM application GUID is stored in application.gam file, which is saved in the model directory and has to be included in the deployment.
- Any main SD object in the KB.
GAM SD applications group the permissions of all main SD objects of the KB. There is one GAM SD application for each main SD object in the KB.
GAM applications are defined within a repository. Each repository can contain more than one GAM application.
Additionally, one Repository can store more than one GAM WEB application because from different KBs you can use a different Application Id to create a different GAM WEB application in the same repository.
First, the GAM application is checked at runtime at the moment of the user authentication.
Another purpose of defining GAM applications within the GAM repository is to associate Permissions to these applications and to form groups of permissions.
At runtime, permissions are checked considering the application which is being executed. So, when the user logs in to a repository, and a permission is needed to execute an action, the permission must be defined in the GAM application he is executing (and he needs to have a role where this permission is allowed).
So the permissions which can be associated to a GAM application are all related in some sense.
By default, when F5 processes permissions, the following GAM applications are created in the repository:
- A GAM application for the WEB application of the KB. The WEB GAM application groups the permissions of all the web objects of the KB and its descendants.
- A GAM application for each main object for SD. The application groups the permissions of this main object and its descendants. So if you have Dashboard1, and Dashboard2 which are main, there will be a GAM application for each of them.
Each GAM application is identified by a GAM application GUID, and has "Client Application data": Client Id and Client Secret information.
You can see the running GAM Backend as an administrator, all the available GAM applications for the repository you've connected to, and you can also define new applications. See figure 1.
When the user executes a web object, the GAM application Identifier is taken from application.gam file located in the virtual directory. See Application Id property in order to understand how this ID is automatically generated.
If the user executes an SD object, the GAM application is identified by its "Client Application data" (Client Id and Client Secret information). See Secure Native Mobile applications architecture to understand how this information is used at a low level, using OAuth protocol.
- The "Client Application data" of GAM applications which have web object permissions is not used in GeneXus Evolution 3.
- At present only one Application Id property is referenced in application.gam file so all the permissions related to web objects have to be grouped in the same WEB GAM application in the web application deployment. Although you can have more than one WEB GAM application in a repository, you need to deploy a different web application for each of them.
GAM - Permissions
GAM - Repository Connections
GAM - Repository
Require Access Permissions Application Property