Try OpenEdge Now
skip to main content
Administration Guide
Web application security configurations : User account configurations : Multi-domain support for user accounts
 

Multi-domain support for user accounts

This topic describes how PAS for OpenEdge extends multi-domain support for user accounts.
Simple multi-domain support in PAS for OpenEdge accommodates implementations where the user-id entered by the client is a fully qualified OpenEdge ID. Fully qualified means that both the user-id and the domain (or tenant) name are included. This type of user authentication requires the back-end user account storage to be implemented with multiple user domain capabilities.
An OpenEdge domain is a group of user accounts that all share the same access control rights. A tenancy is a security feature that attributes access control to data for all user accounts of all the domains associated with a single tenant. A tenant is required to have one domain in which all user account members are members of the tenant. Any tenant may be associated with multiple domains.
In addition, PAS for OpenEdge includes multi-domain support for implementations where the back-end system’s user account storage does not specify domains or tenancy. The primary example of this is an LDAP authentication provider. The user account storage on an LDAP server is a flat space holding all user accounts for all domains, and each account has a unique ID. In this case, the domain name is not something the client supplies during authentication, but rather something that must be related to the user account by configuring the OEClientPrincipalFilter bean in the OEClientPrincipalFilter bean section of the oeablSecurity.properties file. It has capabilities that allow it to derive a domain name from a user account’s granted roles.
This method of using Spring Security roles as OpenEdge domains follows the logical pathway where a user account becomes a member of an OpenEdge domain by virtue of being granted membership in the domain. This is the same reasoning used in LDAP directories when an administrator associates individual user accounts with an LDAP group for the purpose of controlling access.
For more information on multi-domain support for authentication systems like LDAP see the following topics:
*Resolving user-id and domain names
*Obtaining a domain name from a role name
*Configuring multiple domains
*OpenEdge domains in LDAP configurations
* Resolving user-id and domain names
* Obtaining a domain name from a role name
* Configuring multiple domains
* OpenEdge domains in LDAP configurations