Posted: 26 Jan 2016 19:57 EST Last activity: 13 Apr 2017 12:22 EDT
I am trying to implement LDAP authentication without model user, for that i am customizing "AuthenticationLdapVerifyCredetials" OOTB activity. my require ment: from LDAP serevr we will get different roles based on that we need to map different access groups so based on that access groups and LDAP info Operator would be create. for ldap roles and access groups we are planning maintain in a data table in pega, so based on Ldap role we will get from ldap server we will fetch access group using obj-open and assigning to pyAccessGroup. So based on that user will get access group and he can access the apllication using Ldap URL. But we are getting issue while opening data table instace "You are not authorized to open instance" issue coming because while customizing above mentioned OOTB activity we placed in "Unauthenticated" rule set becase while user log-in at that time application rule set stack not frame. So we are trying open record from Data table before operator created (even i have tried – created data table in "Unauthenticated" ruleset but that also not worked). If i have use decision table i am not faced issues.but business aked use data table. is there any solution is there to use data table
***Updated by moderator: Lochan to add Categories***
Why you are getting "You are not authorized to open instance" and How to Solve this.
When the login activity is running it's running in an unauthenticated requestor using the a default AccessGroup used for unauthenticated users . This is the AccessGroup defined in your Data-Admin-Requestor.<SystemName>.Browser instance where <SystemName> is equal to your current system name. You can check the landing page under System -> General -> Systems, Nodes and Requestors. This will show you your current system name plus what default AccessGroup your browser requestor type for the System Name is currently using.
Once you find the AccessGroup you simply need to add a Role to that AccessGroup that will grant permission to open instances of your data tables classes. Then during the authentication you should not have this issue anymore.
Also note that because the Login activity processing is running in an unauthenticated requestor state. You can run into security issues with running activities that require authentication to run. You are limited to what you can call during the login processing but opening a Data-Table instance should be fine.
i have checked System -> General -> Systems, Nodes and Requestors and identified there is Accessgroup----PRPC:Unauthenticated and this access group contains roles like below. to get permission what i need to do i am not clear about that. LDAP roles which we get from LDAP directorty that roles are different.