Manish Kumar 11 Posted February 27, 2018 Posted February 27, 2018 Hi all, We are using the SAML authentication mechanism to authenticate the incoming soap service calls within AMX BPM. By using this mechanism, no LDAP lookup or password checking is performedas this is from trusted source (assumption being, the user is already authenticated outside of BPM environment). The only requirement is to pass a registered BPM user while making the call alongwith a SAML Token, which implies that, one can pass admin user as well (tibco-admin) to get admin priveleges. Is there a way to restrict only tibco-admin user, either at the AMX BPM environment level Regards MKV
Phillip Watson Posted May 1, 2019 Posted May 1, 2019 You may want to look at the API "isActionAuthorised": https://docs.tibco.com/pub/amx-bpm/4.2.0/doc/html/bpmhelp/GUID-806B933C-... This is used internally to verify that the caller is authorised to perform certain actions. Those System Actions are identified by a "component" and "action". There are a fixed set of System Actions, so you can't just make them up. For a caller to be authorised they must hold the Privileges that are required for the identified System Action. A System Action's Privileges are assigned using the Org-Model designer in Business Studio. Some System Action are authorised for all user's by default, and some are denied by default. Admin users (that is, anyone assigned to the group "System Administrator" - e.g. tibco-admin) holds an overriding Privilege that allows authorisation against all System Actions. Therefore, by checking the caller's authorisation against a System Action that is denied to all users only admin users would be successful. Perhaps a suitable System Action would be "deleteCalenders" (component ID "DAC"). By default, this action is denied to all users expect the admin user. So, unless you're using Calendar functionality, and allowing users to delete calendars, this can be used to verify that the caller is a "System Administrator" user. A list of System Actions, their component ID and whether they are denied by default, can be found here: https://docs.tibco.com/pub/amx-bpm/4.2.0/doc/html/bpmhelp/GUID-EC83DDE6-...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now