HowTo: Implementing Permissions on Modes of a Web Transaction

Official Content
This documentation is valid for:


Show how to configure permissions over web transaction modes, so only authorized users can view the transaction's data (execute the transaction in display mode); insert, update, or delete data of the web transaction.

How to do it

GAM defines automatic permissions which includes permissions to execute the web transaction (DSP), and one permission for each mode INS, UPD, DLT.

The name of the permissions are determined from the Permission Prefix property value set in the web transaction properties (as shown in Figure 1).

In runtime, these permissions are checked automatically, and the GeneXus user just needs to declare the Permission Access Type in GAM Backend.

The process at execution time consists on validating if the user has rights to execute the web transaction object. In this case GAM checks that the user has <prefix>_execute permission (where prefix is the Permission Prefix defined for the transaction). So the <prefix>_execute permission enables the user to display the data of the transaction (display mode).

If the user executes an action over the transaction (Insert, Update or Delete) another permission will be required :


In fact there is a permission which "groups" the other permissions (see Full Control Permissions for more details):




Let's suppose we have a "product" web transaction, where some users will have access rights to execute the web transaction, but not to insert, update, or delete data.

Just follow this steps:

1. Check that Enable Integrated Security Property is set to TRUE at version level of the KB, and Integrated Security Level Property is set to Authorization at version level or at least for the transaction object properties.

Check also that Permission Prefix property of "product" web transaction is set to any value (in this example the Permission Prefix property is set to "product", as shown in figure 1).

permission prefix property of web transaction - sample
Figure 1.

2. Define a role where the permissions mentioned above are specified with their corresponding Permission Access Type.

role permissions - sample how to give permissions on modes of trns
Figure 2.

3. The users need to be associated to the role newly created.

role of user - sample permissions on transaction modes
Figure 3.

In this example WW pattern has been associated to product transaction.

The user associated to the role defined previously, will be able to execute wwproduct webpanel, and select products from the list in order to view the data.

When the user tries to update or delete an existing product, or insert a new product, the Not Authorized Object for Web object will be called, as seen in the following figures (if the transaction does not receive KEY and Mode as parameters, the permission error is shown using the Error Viewer).

wwproduct sample permission modes on transactions
Figure 4.
viewproduct sample permission modes on transactions
Figure 5.
permission denied product transaction update
Figure 6.

See Also

GAM - Permissions
Full Control Permissions and inheritance
GAM Roles
GAM Authorization Scenarios