Authorization security
You can configure authorization security at application level, object level, object structure level, or at the level of a method defined in a standard service. After user authentication completes, the integration framework checks that the user has been granted the authority to send messages to the target application, object, object structure, or method.
Manage provides configurable user-based and group-based authorization for its applications by using security signature options (sigoptions). A Manage application is the resource unit that is protected by the access control list (ACL) and sigoptions are the unit permissions for that resource. To secure an integration resource, such as an object structure, you can associate that resource with a Manage application and the object structure then inherits its permissions from the application.
However, this tightly coupled configuration may not be ideal for some users. For example, users who are authorized to use the Asset application may not want authorization to use the MXAPIASSET object structure for integration purposes. In this case, you can configure the object structure to have its own authorization.
A security administrator can configure the sigoptions for an object structure independent of the configuration for an application. These sigoptions are the unit permissions for the object structure.
To provide the most flexible security configuration, it is recommended that all object structures have their own authorization independent of applications.
Object-level authorization
Object-level authorization is based on the security configuration that is set in the Data Restrictions tab of the Security Groups application. This security configuration applies to data that is accessed by both Manage applications and integration processing. For integration processing, if an object or attribute is marked as read-only or hidden, inbound message data processing is limited to queries. You cannot insert, update, or delete data in an object or attribute that is marked as read-only or hidden.
Object structure-level authorization
If the mxe.int.enableosauth system property is set to
1, you must configure the authorization of the object structure before external
users or applications can access and update data by using that object structure. When the system
property is set to 0, authorization configuration is not required.
- You configure the object structure to inherit its authorization from a related application.
- To configure the authorization in this way, in the Authorization Name field, specify the application name. The signature options of the application are used by default for the object structure. You can add additional signature options to apply to both the object structure and the application.
- You configure the object structure to have its own authorization by using signature options.
- To configure the authorization in this way, check the Use Object Structure for Authorization Name check box. The authorization name is set to the object structure name, and the default insert, delete, save, and read options are assigned. For some object structures, you can then create signature options for any supported services that are available by using the object structures. Click Select Service Option to view and create signature options for these services.
After authorization for the object structures is defined, a security administrator can configure the authorization for a security group by using the Security Groups application.
Application-level authorization
You configure application-level authorization in the Object Structures application. In the Authorized Application field, specify the application to authorize. The specified application and the user group of the integration message user together provide authorization for inbound integration messages for object structures and enterprise services. The combination of application and user group also provide authorization for the export of data related to this object structure.
If you use the REST API, you might need to configure application-level authorization to access business object resources.
Standard service authorization
Standard service authorization does not support the use of a condition that you associate with the signature option. Any condition that you assign is ignored.
You can configure a standard service transaction to take on the same security profile for the integration user as if that user entered the transaction through an application. This level of authorization requires manual configuration. The application service must have a properly annotated method and the service must be registered in the Database Configuration application. Assign a signature option to a standard service to limit access to the users or groups that are authorized for the selected option.
Run a SQL script that updates the MAXSERVSECURITY table with the details of the standard service to authorize. The insert statement for the MAXSERVSECURITY must include the fields listed in the following table.
| Field | Description |
|---|---|
| MAXSERVSECURITYID | A unique ID that is numeric. You can, for example, query the max(MAXSERVSECURITYID) from MAXSERVSECURITY and use the next sequential value. |
| ROWSTAMP | A unique ID that is numeric. You can, for example, query the max(ROWSTAMP) from MAXSERVSECURITY and use the next sequential value. |
| SERVICENAME | The service name registered in the Database Configuration application (MAXSERVICE.SERVICENAME). |
| APP | The application name where the signature option is configured to (MAXAPPS.APP). |
| METHODNAME | The name of the annotated method in the application service. |
| OPTIONNAME | This value is a combination of the signature option table for the application and the signature option (SIGOPTION.OPTIONNAME). |