Hello Everyone
I would like to know if its possible to perform authentication and authorization for CMOD 8.5 external to CMOD application. By external I mean maintaining the users out of the application. I am not not asking for LDAP as it only takes care of external authentication. I would like to know if anyone have any idea idea around this.
Regards
Trambak
Hello Trambak,
Well your question implies that I say YES and NO.
By NO, I mean the following:
You must have users defined in CMOD. You cannot do anything without users defined in CMOD.
By YES, I mean the following:
You can do the authentification via LDAP or via User Exits (if needed).
You might not defined rights/permissions in CMOD, and put everything (well nearly everything) with User Exits, but then you will hit a MAJOR performance hit. Especially with lots of users, and documents, if you do a nearly 100% via user exits.
It's possible, we did that to some customers, but that was for small things, very limited needs.
2 Practicals examples:
One of the things that my customers does a lot. They use/develop a tool, like a central rights tool, where they define the role of each users/group of users, and then they dispatch the rights to each application. And for CMOD, they use ARSXML to define all the rights of users according to the rules defined in the central tool.
That works ok, but for example, (at least until Version 8.4.X) for nearly 5'000 users, it takes many hours, and the bottleneck is giving the correct group to the correct user... that takes AGES!!! in less that 2 hours I can defined all users with all the quesry restrictions, etc... but for the assignement of groups... it takes 5-7 hours, and the more complicated, the more hours it takes.
I haven't tried with 8.5, but they have improved arsxml, so it might help there.
The other example, is to define the right in CMOD, once for all (well... once you define it, you won't need to change it everyday!), and all the "variable parameters" are stored in Table in CMOD database. And each time you have a query restriction, well you reference this external table, and get the values from it.
Example, you have a field name "protectedfield", and let say that some user can see document with the value 0, 10 and 20, but cannot see documents with value 30 and 40.
And that can change each day for several of users...
The combination of 0, 10, 20, 30, 40 are too big to play with groups (a group for each combination... and if you add new numbers... then it explodes!)
So Query Restriction are the only way to do it. You you decide that each users have a UID (which might not be the same as CMOD) from your central Right Application.
Then the query restriction might be like that:
protectedfield in (select doccode from mytable where uid="ALESSANDRO") and ....
And you table might be something like that:
doccode INTEGER NOT NULL,
UID VARCHAR(40) NOT NULL,
...
So, in summary, to have everything handled outside CMOD, Not possible at 100%, but you can find ways to do some things outside CMOD, and still reach part of your need.
I hope I've answered your question, or at least given you some hints to find solution to your question.
Cheers,
Alessandro
Thanks a lot for your inputs. I will get back as I get more questions on this.