fSeries security works by executing a designated DSD which establishes whether the user’s credentials are valid and also gathers other information about the user such as their roles and permissions.
The configuration of fSeries security is set in the Web.Config file in the fSeries web root. See below for details of how to manage this.
The ids of the DSD and its data groups is not preset (they are configured in Web.Config) and so the following names are examples only.
Similarly the ids of user entries may be configured in Web.Config but certain defaults are available that need not be configured:
Network Identity: fLogin, Login or ADLogin
User Id: fUserId or UserId
Password: fPassword or Password
fSeries Role: fRole or Role
We recommend the first in each list in order to avoid clashes with valid request parameters.
DSD Contents
The authentication process will check and record certain data returned from executing the DSD, as follows:
User
One data group must return one and only one record to indicate that the user’s credentials are valid. Any other outcome will reject the user’s authentication.
The data group should use either the network identity (fLogin) or the credentials (fUserId and fPassword). Typically these will be used to query a database table of users and return all matching users (if there is only one the user is authenticated).
In more complex structures several data groups may be present, each of which checks a different source (e.g. two or more different applications and the optional fSeries Users table), merging the data groups into the User data group to indicate authentication. Note that the User data group need not be a SQL data group.
If fRemote Groups are in use this data group must contain a field called “Group” to specify the group to which the user belongs. If no Group is specified the user will have open access.
User Defined Values (including Data Access Roles)
This data group is used to record any information about the user that may of use elsewhere in fSeries. All fields in the record (only the first record is used) is recorded as a user defined value. A special field called “AccessRoles” specifies the user’s data access roles used in Data Access Control.
Often the same data group designated as the User data group is used for user defined values but take care not to use it if it contains values you do not need to record as user defined values (e.g. fSeries user roles).
fSeries User Roles
fSeries user roles are established in the Roles data group. Each field whose name exactly matches one of the available fSeries roles (see fAdmin Users) is checked and if it has a value of “true” the user is considered to have that role, which is recorded for the duration of their session.
Sometimes the same data group designated as the User data group may be used for user roles.
Permissions
fSeries includes a security option that lets you record allow/deny permission sets for the user. These can then be checked in fSeries to see if the user is allowed access or denied access. For example a menu option may be designated as being in permission sets “Adoption” and “Fostering”. Anybody with either set is allowed the option but anybody denied either is not allowed the option. This is achieved using the CheckAccess fSeries function.
Allow and Deny permission set lists are recorded at login. For each, a designated data group and field are used. The system records a comma separated list by looking at the designated field in each record in the designated data group.
For example, if the “Allow” data group is “Permissions” and it has a field called “Allow” the login process will step through every record in Permissions adding the value of Allow to a list of the user’s allowed permission sets (e.g. “Adoption,Children,Fostering”).
Web.Config Configuration
The Security DSD, data group and fSeries roles must be explicitly configured in the Web.Config file located in the fSeries web root. In the appSettings element add the SecurityDSD setting:
<add key=”SecurityDSD” value=”fSecurity”/>
<add key=”SecurityDataGroup” value=”User”/>
<add key=”UserRoles” value=”Roles”/>
All other settings are optional.
<add key=”UserDefinedValues” value=”User”/>
<add key=”AllowAccess” value=”Permissions.Allow”/>
<add key=”DenyAccess” value=”Permissions.Deny”/>
The above example uses a security DSD with an id of fSecurity. The user authentication uses the User data group. User defined values (including data access roles) are also from the User data group. fSeries user roles are held in the Roles data group. Allow and Deny permission sets are in the Permissions data group, from the Allow and Deny fields respectively.
The DSD’s user entries may be specified in the configuration. Generally this is not required as your security DSD will have standard, default user entries (e.g. fLogin, fUserId, fPassword). However, sometimes it is necessary to specify something different. For example if your setup requires that you accept UID and PWD parameters from a calling system. You can specify alternative user entry names for each as follows:
<add key=”SecurityLogin” value=”NetworkName”/>
<add key=”SecurityUserId” value=”UID”/>
<add key=”SecurityPassword” value=”PWD”/>
<add key=”SecurityRole” value=”UserType”/>
Security Groups
fSeries has an option to authenticate using multiple methods. For example if you need to authenticate different users based on which application they are logging in from you can designate Security Groups in order to instruct fSeries to behave differently in each case.
The security group is specified by a parameter in the link into fSeries called fDSG or by passing a parameter when calling the fSeries web service.
If no security group is requested the main settings above are used. If a security group is requested all Web.Config settings are taken from the security group settings (none default to the main settings). Security group settings are specified by adding the group id to the setting key separated with an underscore. For example, for the MySG group:
<add key=”SecurityDSD_MySG” value=”fSecurity”/>
<add key=”SecurityDataGroup_MySG ” value=”User”/>
<add key=”UserRoles_MySG ” value=”Roles”/>
<add key=”UserDefinedValues_MySG ” value=”User”/>
<add key=”AllowAccess_MySG ” value=”Permissions.Allow”/>
<add key=”DenyAccess_MySG ” value=”Permissions.Deny”/>
<add key=”SecurityLogin_MySG ” value=”NetworkName”/>
<add key=”SecurityUserId_MySG ” value=”UID”/>
<add key=”SecurityPassword_MySG ” value=”PWD”/>
<add key=”SecurityRole_MySG ” value=”UserType”/>