The TIBCO Platform is a real-time, composable data platform that will bring together an evolving set of your TIBCO solutions - and it's available now!
A chart showing the TIBCO Platform vision
Jump to content
Forums
Ask questions and gain insight from discussions

Recommended Posts

Posted

Hi all,

We are using the SAML authentication mechanism to authenticate the incoming soap service calls within AMX BPM. By using this mechanism, no LDAP lookup or password checking is performedas this is from trusted source (assumption being, the user is already authenticated outside of BPM environment). The only requirement is to pass a registered BPM user while making the call alongwith a SAML Token, which implies that, one can pass admin user as well (tibco-admin) to get admin priveleges. Is there a way to restrict only tibco-admin user, either at the AMX BPM environment level

Regards

MKV

  • 1 year later...
Posted

You may want to look at the API "isActionAuthorised": https://docs.tibco.com/pub/amx-bpm/4.2.0/doc/html/bpmhelp/GUID-806B933C-...

This is used internally to verify that the caller is authorised to perform certain actions. Those System Actions are identified by a "component" and "action". There are a fixed set of System Actions, so you can't just make them up.

For a caller to be authorised they must hold the Privileges that are required for the identified System Action. A System Action's Privileges are assigned using the Org-Model designer in Business Studio. Some System Action are authorised for all user's by default, and some are denied by default.

Admin users (that is, anyone assigned to the group "System Administrator" - e.g. tibco-admin) holds an overriding Privilege that allows authorisation against all System Actions. Therefore, by checking the caller's authorisation against a System Action that is denied to all users only admin users would be successful.

Perhaps a suitable System Action would be "deleteCalenders" (component ID "DAC"). By default, this action is denied to all users expect the admin user. So, unless you're using Calendar functionality, and allowing users to delete calendars, this can be used to verify that the caller is a "System Administrator" user.

A list of System Actions, their component ID and whether they are denied by default, can be found here: https://docs.tibco.com/pub/amx-bpm/4.2.0/doc/html/bpmhelp/GUID-EC83DDE6-...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...