As Federated Case Management provide the capability to create or access the case from multiple PRPC applications.
In that case how the Operator Authentication/ Authorization is managed. Meaning,
e.g. We have two PRPC application A, B and Operator OP1 where OP1 is Manager role for Application A ( Can Create and Process the case) and OP1 is user role for Application B( Only Can process the case but can't create the case).
When Operator OP1 login in Application A where FCM is configured; when he tries to access the App B cases so He has to Authenticate/ Authrozia for App B access or how it handle.
I agree with author of this topic. FCM documentaion does not clearly explain how authentication and authorization is working. I had to get through all this, including code investigation and discovered the following points, which were very important for my undersrtanding:
1) You must configure the same OperatorID records for the same users in all systems
2) When user accesses remote case, this request goes to the remote system through PegaMash gateway. The question is about how PegaMash authenticates into remote PRPC. And this works as follows:
a. In order to PegaMash to authenticate into remote PRPC, _there must be Single Sign On (SSO) configured between them_. This is because you cannot send username/password between gwo PRPC.
b. For demo/development you can use out of the box IAC servlet configured in PRPC OOTB. This is a demo SSO implementation. It only requires operator ID to be passed with incoming HTTP request.
c. when you call remote case in your local system, you implicitly use pega mash gadget, which implicitly sends current operator id to the PegaMash gateway. The gateway, in turn, sends it to the remote PRPC. If you use default IAC servlet as authentication servlet (see host confiruration in PRGateway), then IAC will do SSO based on this operator id and authenticate it.
d. Since you have the same operator ID on the remote system, it has access group, which defines authorization of the user in that system.
So, for demo/devolopment, you can use demo SSO which is done by IAC servlet. No configuration is needed. For production, you need to implement your own SSO for remote PRPC.