Introducing the all-new TIBCO Community site!

For current users, please click "Sign In" to reset your password and access the enhanced features. If you're a first-time visitor, we extend a warm welcome—click "Sign Up" to become a part of the TIBCO Community!

If you're seeking alternative community sites, explore ibi, Jaspersoft, and Spotfire.

Jump to content

SAML Authentication issues in AMX BPM

Manish Kumar 11

Recommended Posts

Hi all,

We are using the SAML authentication mechanism to authenticate the incoming soap service calls within AMX BPM. By using this mechanism, no LDAP lookup or password checking is performedas this is from trusted source (assumption being, the user is already authenticated outside of BPM environment). The only requirement is to pass a registered BPM user while making the call alongwith a SAML Token, which implies that, one can pass admin user as well (tibco-admin) to get admin priveleges. Is there a way to restrict only tibco-admin user, either at the AMX BPM environment level



Link to comment
Share on other sites

  • 1 year later...

You may want to look at the API "isActionAuthorised":

This is used internally to verify that the caller is authorised to perform certain actions. Those System Actions are identified by a "component" and "action". There are a fixed set of System Actions, so you can't just make them up.

For a caller to be authorised they must hold the Privileges that are required for the identified System Action. A System Action's Privileges are assigned using the Org-Model designer in Business Studio. Some System Action are authorised for all user's by default, and some are denied by default.

Admin users (that is, anyone assigned to the group "System Administrator" - e.g. tibco-admin) holds an overriding Privilege that allows authorisation against all System Actions. Therefore, by checking the caller's authorisation against a System Action that is denied to all users only admin users would be successful.

Perhaps a suitable System Action would be "deleteCalenders" (component ID "DAC"). By default, this action is denied to all users expect the admin user. So, unless you're using Calendar functionality, and allowing users to delete calendars, this can be used to verify that the caller is a "System Administrator" user.

A list of System Actions, their component ID and whether they are denied by default, can be found here:

Link to comment
Share on other sites

  • Create New...