Overview of client application authentication

Use service credentials to authenticate a client application.

Operational Decision Manager on Cloud provides two options for authentication:

User accounts: These accounts provide credentials that users enter to sign in to the cloud portal and its components. While client applications can also login by using user account credentials, it is better to use service credentials because user passwords and any applications that use them must be updated regularly.
Service credentials: These accounts provide credentials for authenticating calling applications. They include an ID that is associated with a function, and a highly secure password. Because of its high security, the password does not require regular updates and is well suited for authenticating client applications.

Because service credentials are linked to functions, and not to real users, they do not have to be changed when a user leaves a project or a company. SAML users, who log in to the cloud portal through the login systems of their organizations, must use service credentials for applications that need to authenticate with the cloud.

Service credential basics

Service credentials comply with basic authentication. They use a functional ID for the user name, and a long, machine-generated password to foil brute force attacks by hackers, for example:

Functional ID: custval.fid@t100
Password: 8xcFS9OS60EGcvj0coppPDH9+/iBx9aDrjhD8zwn

When you create a set of service credentials, you enter an alias (for example, custval). The cloud service generates a functional ID from the alias by adding an extension that stands for functional ID (fid) and your tenant of the cloud portal (t100).

Tip: For the functional ID, use an alias that associates the service credentials with a decision service or a client application. For example, you can use the alias custval for a decision service that validates customers.

Important points:

Service credentials are only used to authenticate calling applications. They cannot be used by a user or Rule Designer to log in to the cloud portal. If you try to log in by using service credentials, you get an error message: A functional user is not allowed to do this operation.
Only cloud portal administrators can create service credentials, and assign the cloud administrator role to other users. The administrators give the service credentials to the developers of the client applications.
You cannot update an existing set of service credentials. You must replace the set with another set.
You cannot use the same alias in more than one set of service credentials. You must delete the first set before you can create another set that uses the same alias.
When you delete a set of service credentials, the cloud portal no longer recognizes it. The client application needs a new set to connect to the cloud portal.