NOTE: Use non role-based authentication modules to log in to the Designer. Role-based authentication modules for logging in to the Designer are not supported.
To use an authentication module for login, assignment of the authentication module to the application must be enabled.
To enable an authentication module for an application
-
In the Designer, select the Base data > Security settings > Authentication modules category.
-
Select the View > Select table relations menu item and enable the DialogProductHasAuthentifier table.
-
In List Editor, select the authentication module.
-
In the Application edit view, select the assigned application.
-
Disable the Disable option.
-
Select the Database > Save to database and click Save.
To disable an authentication module for an application
-
In the Designer, select the Base data > Security settings > Authentication modules category.
-
Select the View > Select table relations menu item and enable the DialogProductHasAuthentifier table.
-
In List Editor, select the authentication module.
-
In the Application edit view, select the assigned application.
-
Enable the Disable option.
-
Select the Database > Save to database and click Save.
Related topics
The initial data is one part of the authentication string (parameter-value pair). Initial data from the authentication string is preallocated by default for each authentication instance.
The authentication string is formatted as follows:
Module=<name>;<property1>=<value1>;<property2>=<value2>,…
Example:
Module=DialogUser;User=<user name>;Password=<password>
To specify initial data
-
In the Designer, select the Base data > Security settings > Authentication modules category.
-
Select the authentication module and enter the data in Initial data.
Syntax:
Property1=value1;Property2=value2
Example:
User=<user name>;Password=<password>
You can use different initial data depending on the authentication module.
Table 33: Initial data for authentication modules
|
System users |
DialogUser |
User |
User name. |
|
Password |
User password. |
|
Active Directory user account |
ADSAccount |
|
|
|
Active Directory user account (dynamic) |
DynamicADSAccount |
Product |
Use case. The system user is determined through the use case configuration data. |
|
Active Directory user account (manual input) |
DynamicManualADS |
Product |
Use case. The system user is determined through the use case configuration data. |
|
User |
User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains. |
|
Password |
User password. |
|
Active Directory user account (role-based) |
RoleBasedADSAccount |
|
No parameters required |
|
Active Directory user account (manual input/role-based) |
RoleBasedManualADS |
User |
User name. The user‘s identity is determined from a predefined list of permitted Active Directory domains. In the TargetSystem | ADS | AuthenticationDomains configuration parameter, enter the permitted Active Directory domains. |
|
Password |
User password. |
|
Employee |
Employee |
User |
Employee's central user account. |
|
Password |
User password. |
|
Employee (dynamic) |
DynamicPerson |
Product |
Use case. The system user is determined through the use case configuration data. |
|
User |
User name. |
|
Password |
User password. |
|
Employee (role-based) |
RoleBasedPerson |
User |
User name. |
|
Password |
User password. |
|
HTTP header |
HTTPHeader |
Header |
HTTP Header to use. |
|
KeyColumn |
Comma delimited list of key columns in the Person table to be searched for user names.
Default: CentralAccount, PersonnelNumber |
|
HTTP header (role-based) |
RoleBasedHTTPHeader |
|
HTTP header to use. |
|
KeyColumn |
Comma delimited list of key columns in the Person table to be searched for user names.
Default: CentralAccount, PersonnelNumber |
|
LDAP user account (dynamic) |
DynamicLdap |
User |
User name.
Default: CN, DistinguishedName, UserID, UIDLDAP |
|
Password |
User password. |
|
LDAP user account (role-based)
|
RoleBasedLdap
|
User |
User name.
Default: CN, DistinguishedName, UserID, UIDLDAP |
|
Password |
User password. |
|
Generic single sign-on (role-based) |
RoleBasedGeneric |
SearchTable |
Table in which to search for the user name of the logged in user. This table must contain a FK named UID_Person that points to the Person table. |
|
SearchColumn |
Column from the SearchTable in which to search for the user name of the logged-in user. |
|
DisabledBy |
Pipe (|) delimited list of Boolean columns which block a user account from logging in. |
|
EnabledBy |
Pipe (|) delimited list of Boolean columns which release a user account for logging in. |
|
OAuth 2.0/OpenID Connect |
OAuth |
|
Dependent on the authentication method of the secure token service. |
|
OAuth 2.0/OpenID Connect (role-based) |
OAuthRoleBased |
|
Dependent on the authentication method of the secure token service. |
|
Account based system user |
DialogUserAccountBased |
|
No parameters required |
|
User account |
QERAccount |
|
No parameters required |
|
User account (role-based) |
RoleBasedQERAccount |
|
No parameters required |
|
Password reset |
PasswordReset |
|
No parameters required |
|
Password reset (role-based) |
RoleBasedPasswordReset |
|
No parameters required |
|
Decentralized identity
|
DecentralizedId
|
Email |
Default email address of the employee (Person.DefaultEmailAddress) or contact email address of the employee (Person.ContactEmail) |
|
Identifier |
Decentralized identity of the employee (Person.DecentralizedIdentifier). |
|
Decentralized Identity (role-based)
|
RoleBasedDecentralizedId
|
Email |
Default email address of the employee (Person.DefaultEmailAddress) or contact email address of the employee (Person.ContactEmail) |
|
Identifier |
Decentralized identity of the employee (Person.DecentralizedIdentifier). |
Related topics
In the case of dynamic authentication modules, the system user assigned to the employee is not used for the log in. The system user which is configured using the user interface special configuration data is taken instead.
To specify configuration data
-
In the Designer, select the Base data > Security settings > Programs category.
-
Select the application and adjust the Configuration data.
Use XML syntax for entering the configuration data:
<DialogUserDetect>
<Usermappings>
<Usermapping
DialogUser = "System user name"
Selection = "Selection criterion"
/>
<Usermapping
DialogUser = "System user name"
/>
...
</Usermappings>
</DialogUserDetect>
Enter the system user (DialogUser) in the Usermappings section. Specify which employee the given system user should use with the selection criterion (Selection). You are not obliged to enter a selection criterion for the assignment. The first system user that has the required assignment is used for the log in.
You can assign function groups to permissions groups on order to deal with complex permissions and user interface structures. The function groups allow you to map the functions an employee has in the company, for example, IT controller or branch manager. Assign the function groups to the permissions groups. A function group can refer to several permissions groups and several function groups can refer to one permissions group.
If the FunctionGroupMapping section is in the configuration data, this is evaluated first and the system user that is found is used. The authentication module uses the system user that is the exact member of the permissions group found for the login. If none is found, the Usermapping section is evaluated.
<DialogUserDetect>
<FunctionGroupMapping
PersonToFunction = "View mapping employee to function group"
FunctionToGroup = "View mapping function group to permissions group"
/>
<Usermappings>
<Usermapping
DialogUser = "System user name"
Selection = "Selection criterion"
/>
...
</Usermappings>
</DialogUserDetect>
Related topics
