/
Sharing user authorizations ( GEODI → APP)

Sharing user authorizations ( GEODI → APP)

Jan 03, 2020



If your web application is using Geodi Feed API - Feed Method (APP → GEODI ) or Geodi Feed API - Integration with Application Services ( GEODI → APP) then you can perform this service to share authority / role information.



Definition

It is an optional service, not mandatory. If permission definitions provided for FeedApi are LDAP group/user Sid values, it is not required to implement them.
It is only required if the application has submitted its own roles/definitions.

Requests are only made for the addresses defined under GEODI / Settings / RoleProvider. Only a system administrator who can access this address can add this definition. You can find sample contents in this folder.

If you are using a custom authorization for FeedApi, ask the system administrator who provided you with the GEODI Token the address of your Role / Authorization service and identify it here.

If a .net soap api that takes same parameters and returns same object as an output is implemented, then [ScriptMethod(ResponseFormat = ResponseFormat.Json)] attribute should be added to the method.

Request

[ServiceURL]?m=GetRoles&user={username}

{user} or {username} parameters can be used in ServiceURL.

Even if the {user}, {username} parameters are not used, the request-user and request-username information is passed in the HTTP Header content.

  • {user} is the unique name of the user logged in to GEODI. It gets translated to lowercase via  InvariantCulture. It also contains information about the way the user logs in.

    • Examples

      • ldap:domain\user.name

      • geodi:geodiadmin

      • geodi:guest

      • facebook:id

      • yourapplication:user.id 

        • GEODI can use multiple user authentication mechanisms. Such a request can only be made if your application supports Oauth, Oauth2, and the necessary definitions are made in GEODI, or if there is an ILoginProvider implementation defined on GEODI. In the event of such a request, you may assume that the verification is done by your application.

    • You can return empty list or empty content for users you do not recognize.

  • {username} only returns a username and it does not return any domain information for LDAP users.

  • You can increase security by adding any additional parameters you want to the ServiceURL definition and request additional Headers using the definition setting file on GEODI.

HttpMethod

GET

Expected Errors

401 Unauthorized access / Access denied

403 Forbidden

511 Network Authentication Required

Example GEODI settings file

{ DisplayName:"Sample Role Provider", __type: "Factory.ActionFactory:ServerBasedRoleProvider", ServiceURL: "http(s)://myhost/GetRoleService.ashx?user={user}&username={username}", GEODIRequestHeader:"GEODI_Request", ActionTargets: "*" }

Expected Result

 { Roles: [] }

  • Roles (string array) : Contains roles/detail privleges of the transmitted user. A user is authorized for all documents in the Permit definitions in any of these roles.


or

 Rol1,Rol2,group:GeodiGroupName/ID,....

or

rules can also be transmitted for GEODI 6.1.0.21248 or above.

 { Roles: [], OnlyDenyCheck:[], Conditions:[], Groups:[] }

  • Roles (string array) : Contains roles/detail privleges of the transmitted user. A user is authorized for all documents in the Permit definitions in any of these roles. A user is prohibited from all documents in the Deny definitions in any of these roles. If this usage is not sufficient Conditions may be used. If the Roles definition contains statements within the rule, the authorization rule from the Roles definition will override.

  • OnlyDenyCheck (string array): Permit definitions for transmitted roles are ignored, only prohibitions that are included in Deny definitions are checked. If the Deny definition is found, the document is not shown to the user.

  • Conditions (string array) Rules can be created using And, Or and -. Used if Role lists that will be defined in paranthesis has at least one of these. Parentheses should be used, even if it is a single role.

    • The delimiter should be used as a comma (,) in the list, space character that is not included in the role definition should not be used.

    • If a role in the list is passed as Deny for the document, the list is considered false for that document.

    •  Passing multiple rules in the Array is done by combining them with with 'or' .

    • Examples

      • (Rol1,Rol2) and (Cat1,Cat2)  : It can see documents that contain Rol1 or Rol2 and also Cat1 or Cat2 at the permit value.

      • ((Rol1,Rol2) and (Cat1,Cat2)) or (AllPublic)  : It can see documents that contain Rol1 or Rol2 and Cat1 or Cat2 at the Permit value, and all documents that contain AllPublic.

      • (Rol1,Rol2) and -(Cat1,Cat2)  : It can see documents that contain Rol1 or Rol2 and do not contain Cat1 or Cat2 at the permit value.

        • Caution: it is recommended to use at least 1 unused group. GEODI evaluates all roles together. -(Cat1) in this case, includes roles from another application

  • Groups (string array) : Can be used if the GEODI version is 6.1.0.24366 or above. Indicates that the user is part of a GEODI group. Diğer özellikler sadece doküman görme yetkisini yönetirken Bu özellik ile düzenleme, Not ekleme, Kaynak/Enumerator görme gibi GEODI üzerinde tanımlı tüm yetkiler yönetilebilir. While other features only manage the authorization to view the document, with this feature all other privileges defined on GEODI such as editing, Adding Notes, viewing Source/Enumerator can be managed.

Examples

//Request : [ServiceURL]?m=GetRoles&user=ldap:domain\user.name  { Roles: [ 'S-151...','Administrator','Document1'] }
//Request : [ServiceURL]?m=GetRoles&user=ldap:domain\user.name S-151...,Administrator,Document1

 rule example for GEODI 6.1.0.21248 and above

//Request : [ServiceURL]?m=GetRoles&user=ldap:domain\user.name  { Roles: [ 'AllPublic'], OnlyDenyCheck : [ 'CantSeeIfSecret'] Conditions: [ '(Rol1,Rol2) and (Cat1,Cat2) and -(T1)'], } //This user //sees documents that have AllPublic in thier Permit Value. Can't see documents that have Deny AllPublic in thier Permit Value. A condition definition can not change this result. // Can't see documents that have CantSeeIfSecret in thier Deny definition. A condition definition can not change this result. //This user can view documents that contain Rol1 or Rol2 , but also include Cat1 or Cat2 at the Permit value and do not contain the T1 role. //// Caution: it is recommended to use at least 1 unused group. GEODI evaluates all roles together. -(T1) in this case, includes roles from another application

Example Application