In Federated Case Management (FCM),How Operator Authentication and Authorization works
How Operator Authentication and Authorization works in FCM?
**Updated by moderator: Marissa. Removed user added #helpme tag. Apologies for confusion, shouldn't have been an end-user option.***
Pegasystems Inc.
US
Did you find the answer to your question outside of the Product Support Community?
I did a search on the PDN and was able to locate some information that might prove helpful for you:
Understanding Federated Case Management
Setting and Configuring Federated Case Management
If you still don't have your answer, could you please clarify for us a bit more as to what you're looking for? Thanks in advance!
KasikornBank
TH
Hi Marissa,
Thanks for the note.
As Federated Case Management provide the capability to create or access the case from multiple PRPC applications.
In that case how the Operator Authentication/ Authorization is managed. Meaning,
e.g. We have two PRPC application A, B and Operator OP1 where OP1 is Manager role for Application A ( Can Create and Process the case) and OP1 is user role for Application B( Only Can process the case but can't create the case).
When Operator OP1 login in Application A where FCM is configured; when he tries to access the App B cases so He has to Authenticate/ Authrozia for App B access or how it handle.
Regards,
Sachin
Alfabank
RU
I agree with author of this topic. FCM documentaion does not clearly explain how authentication and authorization is working. I had to get through all this, including code investigation and discovered the following points, which were very important for my undersrtanding:
1) You must configure the same OperatorID records for the same users in all systems
2) When user accesses remote case, this request goes to the remote system through PegaMash gateway. The question is about how PegaMash authenticates into remote PRPC. And this works as follows:
a. In order to PegaMash to authenticate into remote PRPC, _there must be Single Sign On (SSO) configured between them_. This is because you cannot send username/password between gwo PRPC.
b. For demo/development you can use out of the box IAC servlet configured in PRPC OOTB. This is a demo SSO implementation. It only requires operator ID to be passed with incoming HTTP request.
c. when you call remote case in your local system, you implicitly use pega mash gadget, which implicitly sends current operator id to the PegaMash gateway. The gateway, in turn, sends it to the remote PRPC. If you use default IAC servlet as authentication servlet (see host confiruration in PRGateway), then IAC will do SSO based on this operator id and authenticate it.
d. Since you have the same operator ID on the remote system, it has access group, which defines authorization of the user in that system.
I agree with author of this topic. FCM documentaion does not clearly explain how authentication and authorization is working. I had to get through all this, including code investigation and discovered the following points, which were very important for my undersrtanding:
1) You must configure the same OperatorID records for the same users in all systems
2) When user accesses remote case, this request goes to the remote system through PegaMash gateway. The question is about how PegaMash authenticates into remote PRPC. And this works as follows:
a. In order to PegaMash to authenticate into remote PRPC, _there must be Single Sign On (SSO) configured between them_. This is because you cannot send username/password between gwo PRPC.
b. For demo/development you can use out of the box IAC servlet configured in PRPC OOTB. This is a demo SSO implementation. It only requires operator ID to be passed with incoming HTTP request.
c. when you call remote case in your local system, you implicitly use pega mash gadget, which implicitly sends current operator id to the PegaMash gateway. The gateway, in turn, sends it to the remote PRPC. If you use default IAC servlet as authentication servlet (see host confiruration in PRGateway), then IAC will do SSO based on this operator id and authenticate it.
d. Since you have the same operator ID on the remote system, it has access group, which defines authorization of the user in that system.
So, for demo/devolopment, you can use demo SSO which is done by IAC servlet. No configuration is needed. For production, you need to implement your own SSO for remote PRPC.
Hope, this will help.
Pegasystems Inc.
IN
Hi Sachin,
For FCM to work, same operator has to be present in both the systems.
For your example: OP1(Manager) has to be present in the App B so that he can access the remote cases in the App B.
-
Ravi K Chavali