Any asset defined in the ACDB can have a list of roles that have role-based proxy authentication information that allows access to the asset. All users who are granted a role can access the proxy authentication information created for that role.
For example, if user “Bob” wants to access “AssetX,” he must have either user-based proxy authentication information for AssetX, or he must be granted a role that has the appropriate role-based proxy authentication information to access AssetX.
When multiple roles have proxy authentication information defined for the same asset, the roles must be assigned a priority order so a user who has more than one role that has proxy authentication information for any given asset can use the role-based proxy authentication information that has the highest priority. For example, Bob has two roles, Manager and Engineer, both of which have proxy authentication information pertaining to a back-end service. If only the Engineer role-based proxy authentication information should be used to authenticate to the service, the Engineer role should have a higher priority than the Manager role. The AssetManagement SMAPI interface provides the setRoleProxyAuthInfoPriorities method, which enables you to set the priority of the roles that have proxy authentication information defined.
If multiple roles have proxy authentication information defined for an asset, the following rules apply:
If all the roles are granted explicitly to a user (user roles or group roles), then the proxy authentication information for the role with the highest priority is returned.
If a parent role is not granted explicitly to the user, the child role’s proxy authentication information always overrides the parent role’s proxy authentication information.
For example, assume that there are three roles: role1, role2, and role3, and role3 inherits from role2. Proxy authentication information is defined for all three roles. The roles, in order of priority from highest to lowest, are role1, role2, and role3.
If role1, role2, and role3 are granted to the user, proxy authentication information for role1 is returned because role1 has the highest priority.
If role2 and role3 are granted to the user, proxy authentication information for role2 is returned. Although role3 is the child of role2, role2 is granted explicitly, and has higher priority.
If only role3 is granted to the user, proxy authentication information for role3 is returned. role3’s parent, role2, is not granted explicitly to the user, so the child role overrides the parent role.
If role3 does not have any proxy authentication information defined, proxy authentication information for role2 is returned. A child role without proxy authentication information defined inherits the parent’s proxy authentication information.
Only the PSO, can create, update, and delete role-based proxy authentication information.
