Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Current »


If your web application is using Geodi Feed API - Feed Method (APP → GEODI ) or Geodi Feed API - Integration with Application Services ( GEODI → APP) then you can perform this service to share authority / role information.

Definition

It is an optional service, not mandatory. If permission definitions provided for FeedApi are LDAP group/user Sid values, it is not required to implement them.
It is only required if the application has submitted its own roles/definitions.

Requests are only made for the addresses defined under GEODI / Settings / RoleProvider. Only a system administrator who can access this address can add this definition. You can find sample contents in this folder.

If you are using a custom authorization for FeedApi, ask the system administrator who provided you with the GEODI Token the address of your Role / Authorization service and identify it here.

If a .net soap api that takes same parameters and returns same object as an output is implemented, then [ScriptMethod(ResponseFormat = ResponseFormat.Json)] attribute should be added to the method.

Request

[ServiceURL]?m=GetRoles&user={username}

{user} or {username} parameters can be used in ServiceURL.

Even if the {user}, {username} parameters are not used, the request-user and request-username information is passed in the HTTP Header content.

  • {user} is the unique name of the user logged in to GEODI. It gets translated to lowercase via  InvariantCulture. It also contains information about the way the user logs in.
    • Examples
      • ldap:domain\user.name
      • geodi:geodiadmin
      • geodi:guest
      • facebook:id
      • yourapplication:user.id 
        • GEODI can use multiple user authentication mechanisms. Such a request can only be made if your application supports Oauth, Oauth2, and the necessary definitions are made in GEODI, or if there is an ILoginProvider implementation defined on GEODI. In the event of such a request, you may assume that the verification is done by your application.
    • You can return empty list or empty content for users you do not recognize.
  • {username} only returns a username and it does not return any domain information for LDAP users.
  • You can increase security by adding any additional parameters you want to the ServiceURL definition and request additional Headers using the definition setting file on GEODI.
HttpMethodGET
Expected Errors

401 Unauthorized access / Access denied

403 Forbidden

511 Network Authentication Required

Example GEODI settings file 
{
	DisplayName:"Sample Role Provider",
	__type: "Factory.ActionFactory:ServerBasedRoleProvider",
	ServiceURL: "http(s)://myhost/GetRoleService.ashx?user={user}&username={username}",
	GEODIRequestHeader:"GEODI_Request",
	ActionTargets: "*"
}
Expected Result
 {
	Roles: []
 }
  • Roles (string array) : Contains roles/detail privleges of the transmitted user. A user is authorized for all documents in the Permit definitions in any of these roles.


or

 Rol1,Rol2,group:GeodiGroupName/ID,....

or

rules can also be transmitted for GEODI 6.1.0.21248 or above.

 {
	Roles: [],
	OnlyDenyCheck:[],
	Conditions:[],
	Groups:[]
 }
  • Roles (string array) : Contains roles/detail privleges of the transmitted user. A user is authorized for all documents in the Permit definitions in any of these roles. A user is prohibited from all documents in the Deny definitions in any of these roles. If this usage is not sufficient Conditions may be used. If the Roles definition contains statements within the rule, the authorization rule from the Roles definition will override.
  • OnlyDenyCheck (string array): Permit definitions for transmitted roles are ignored, only prohibitions that are included in Deny definitions are checked. If the Deny definition is found, the document is not shown to the user.
  • Conditions (string array) Rules can be created using And, Or and -. Used if Role lists that will be defined in paranthesis has at least one of these. Parentheses should be used, even if it is a single role.
    • The delimiter should be used as a comma (,) in the list, space character that is not included in the role definition should not be used.
    • If a role in the list is passed as Deny for the document, the list is considered false for that document.
    •  Passing multiple rules in the Array is done by combining them with with 'or' .
    • Examples
      • (Rol1,Rol2) and (Cat1,Cat2)  : Permit değeri Rol1 veya Rol2 içeren ve aynı zamanda Cat1 veya Cat2 içeren dokümanları görebilir.
      • ((Rol1,Rol2) and (Cat1,Cat2)) or (AllPublic)  : Permit değeri Rol1 veya Rol2 içeren ve aynı zamanda Cat1 veya Cat2 içeren dokümanları veya AllPublic içeren tüm dokümanları görebilir.
      • (Rol1,Rol2) and -(Cat1,Cat2)  : Permit değeri Rol1 veya Rol2 içeren ve aynı zamanda Cat1 veya Cat2 içermeyen dokümanları görebilir.
        • Dikkat : en az 1 tane - kullanılmamış grup kullanılması tavsiye edilir. GEODI tüm rolleri birlikte değerlendirir. -(Cat1) ifadesi başka bir uygulamadan gelen rolleride kapsar.
  • Groups (string array) : GEODI 6.1.0.24366 ve üzerinde kullanılabilir. Kullanıcının bir GEODI grubuna dahil olduğunu gösterir. Diğer özellikler sadece doküman görme yetkisini yönetirken Bu özellik ile düzenleme, Not ekleme, Kaynak/Enumerator görme gibi GEODI üzerinde tanımlı tüm yetkiler yönetilebilir.
Examples
//Request : [ServiceURL]?m=GetRoles&user=ldap:domain\user.name
 {
	Roles: [ 'S-151...','Administrator','Document1']
 }

//Request : [ServiceURL]?m=GetRoles&user=ldap:domain\user.name
S-151...,Administrator,Document1

 rule example for GEODI 6.1.0.21248 and above

//Request : [ServiceURL]?m=GetRoles&user=ldap:domain\user.name
 {
	Roles: [ 'AllPublic'],
	OnlyDenyCheck : [ 'CantSeeIfSecret']
	Conditions: [ '(Rol1,Rol2) and (Cat1,Cat2) and -(T1)'],
 }
//Bu kullnaıcı
//Permit değeri AllPublic  içeren tüm dokümanları görür. Deny AllPublic içeren dokümanları göremez. Bu sonucu Condition tanımı değiştiremez.
//Deny tanımı CantSeeIfSecret içeren dokümanları göremez. Bu sonucu Condition veya Roles tanımı değiştiremez.
//Permit değeri  Rol1 veya Rol2 içeren, aynı zamanda Cat1 veya Cat2 den birini içeren ve T1 rolünü içermeyen dokümanları görebilir.
//// Dikkat : en az 1 tane - kullanılmamış grup kullanılması tavsiye edilir. GEODI tüm rolleri birlikte değerlendirir. -(T1) ifadesi başka bir uygulamadan gelen rolleride kapsar.
Example Application
  • No labels