Hello All,
I'm currently porting an existing application into VLFOne. I have a file of existing users that includes admin authority as well as password encryption. I would like to continue to use this file and incorporate it into the framework but it appears that the 'Framework Users and Authority' is a closed loop -by that I mean that the reusable parts that make up the built-in framework authority are just that, built-in (they're VF_* objects and thus cannot be viewed/manipulated). At the moment, I have successfully created a custom U_OLOGON IIP and included logic to check the file to authenticate users, however, and again, this authentication is entirely removed from the authority the framework uses, meaning a successful return from the logon IIP is not enough to log in to the framework. To negate this, I must employ the 'chicken and egg' special user scenario to login and manually add each user and define their access rights/group, except that adding a user does not seem to allow for specifying a password, so to create a new user you would have to...not use the framework? In addition I have to re-specify access (admin) rights? My hope is that there is a programmatic (read: low-code) way for me to utilize functionality (authentication, permissions, encryption) and data of the existing application within the framework. Has anyone explored this and found success porting existing applications into the framework without throwing most of it away/manually importing everything?
Thanks,
- z
VLFONE User Authority Help
Re: VLFONE User Authority Help
Don't know if this will help much, but this is how we deal with it.
This may be similar to your situation where you have an external authentication mechanism that you need to hook into but still use the authorization aspect of the VLF.
We are on an IBM i series and we use the server's "authentication".
Authorization however (access to different objects in the Framework) is handled by the VLF and is done by "mapping" iSeries group profiles to profiles defined in the VLF.
For example, I've created a CREDIT_USR in the VLF that has the appropriate authorities (authorization).
So for us, a user logs in with their iSeries username and password. Then upon successful authentication, we get their iSeries group profile say "CRGROUP". The LOGON IIP then maps CRGROUP to CREDIT_USR using a #PRIM_KCOL<#STD_STRNG #STD_STRNG> in the "CheckUserCredentials" method and sets the #UserProfileToCheck parameter.
Regarding the "chicken or the egg" problem you need to give yourself a way out. We do this by having an ADMIN_USR that is a "Administrative User" if the user is a QSECOFR or QPGMR (groups defined on the iSeries). You can also disable framework security by setting the #UseFrameworkAuthority = False if your user is an admin user.
Edit
One of the things I struggled with while trying to work this out was thinking that my users were now in two places. The iSeries and the VLF. This is not the case. Our VLF users are "virtual" or "surrogate" users. Its the same concept as the group but with users. In our environment about 10 different iSeries users are the one CREDIT_USR.
Here are a couple discussions I've had on the issue that may help.
viewtopic.php?f=3&t=1314
viewtopic.php?f=3&t=1221
Hope this helps,
Joe
This may be similar to your situation where you have an external authentication mechanism that you need to hook into but still use the authorization aspect of the VLF.
We are on an IBM i series and we use the server's "authentication".
Authorization however (access to different objects in the Framework) is handled by the VLF and is done by "mapping" iSeries group profiles to profiles defined in the VLF.
For example, I've created a CREDIT_USR in the VLF that has the appropriate authorities (authorization).
So for us, a user logs in with their iSeries username and password. Then upon successful authentication, we get their iSeries group profile say "CRGROUP". The LOGON IIP then maps CRGROUP to CREDIT_USR using a #PRIM_KCOL<#STD_STRNG #STD_STRNG> in the "CheckUserCredentials" method and sets the #UserProfileToCheck parameter.
Code: Select all
* get the group profile if on the iSeries
if (*OSAPI = IBMI)
#IBMGroupProfile := #COM_OWNER.GetIBMGroupProfile( #UserProfiletoCheck )
if ((#IBMGroupProfile = QSECOFR) *Or (#IBMGroupProfile = QPGMR))
#SYS_APPLN.TraceMessageText( ("Group Profile Is &1, Setting user to ADMIN_USR").Substitute( #IBMGroupProfile ) )
#UserProfiletoCheck := ADMIN_USR
else
* What happens if a user is not in a GROUP?
if (#IBMGroupProfile = *BLANKS)
#SYS_APPLN.TraceMessageText( "Group Profile Is Empty, setting user to READONLY_USR" )
#UserProfiletoCheck := READONLY_USR
endif
* map the group profile to a framework profile
if (#ProfileMap<#IBMGroupProfile> <> *BLANKS)
#SYS_APPLN.TraceMessageData( "Mapping Group Profile:&1 To VLF Profile: &2" #IBMGroupProfile #ProfileMap<#IBMGroupProfile> )
#UserProfiletoCheck := #ProfileMap<#IBMGroupProfile>
else
* default a "readonly" profile?
#SYS_APPLN.TraceMessageData( "VLF Profile for Group Profile: &1 not found" #IBMGroupProfile )
#SYS_APPLN.TraceMessageData( "Using ReadOnly Profile" )
#UserProfiletoCheck := READONLY_USR
endif
endif
endif
Edit
One of the things I struggled with while trying to work this out was thinking that my users were now in two places. The iSeries and the VLF. This is not the case. Our VLF users are "virtual" or "surrogate" users. Its the same concept as the group but with users. In our environment about 10 different iSeries users are the one CREDIT_USR.
Here are a couple discussions I've had on the issue that may help.
viewtopic.php?f=3&t=1314
viewtopic.php?f=3&t=1221
Hope this helps,
Joe
Re: VLFONE User Authority Help
Hey Joe,
Brilliant! I've been going through almost the exact same process you went through (previous threads) and I think what you included in your edit
sums it up best - VLFOne users aren't 'real'. Just create the groups, and include the logic on a green lit logon attempt to send the appropriate group.
The day is salvaged - thanks for the help!!!!
-z
Brilliant! I've been going through almost the exact same process you went through (previous threads) and I think what you included in your edit
sums it up best - VLFOne users aren't 'real'. Just create the groups, and include the logic on a green lit logon attempt to send the appropriate group.
The day is salvaged - thanks for the help!!!!
-z