Question
tcs
IN
Last activity: 13 Apr 2017 12:22 EDT
LDAP Authentication
Hi,
I am trying to implement LDAP authentication without model user, for that i am customizing "AuthenticationLdapVerifyCredetials" OOTB activity. my require ment: from LDAP serevr we will get different roles based on that we need to map different access groups so based on that access groups and LDAP info Operator would be create. for ldap roles and access groups we are planning maintain in a data table in pega, so based on Ldap role we will get from ldap server we will fetch access group using obj-open and assigning to pyAccessGroup. So based on that user will get access group and he can access the apllication using Ldap URL. But we are getting issue while opening data table instace "You are not authorized to open instance" issue coming because while customizing above mentioned OOTB activity we placed in "Unauthenticated" rule set becase while user log-in at that time application rule set stack not frame. So we are trying open record from Data table before operator created (even i have tried – created data table in "Unauthenticated" ruleset but that also not worked). If i have use decision table i am not faced issues.but business aked use data table. is there any solution is there to use data table
Thanks
RajaSekhar
***Updated by moderator: Lochan to add Categories***
Accepted Solution
Pegasystems Inc.
US
tcs
IN
we are using pgea 7.1.5 version
Accepted Solution
Pegasystems Inc.
US
Rajasejhar,
I can explain your issue.
Why you are getting "You are not authorized to open instance" and How to Solve this.
When the login activity is running it's running in an unauthenticated requestor using the a default AccessGroup used for unauthenticated users . This is the AccessGroup defined in your Data-Admin-Requestor.<SystemName>.Browser instance where <SystemName> is equal to your current system name. You can check the landing page under System -> General -> Systems, Nodes and Requestors. This will show you your current system name plus what default AccessGroup your browser requestor type for the System Name is currently using.
Once you find the AccessGroup you simply need to add a Role to that AccessGroup that will grant permission to open instances of your data tables classes. Then during the authentication you should not have this issue anymore.
Also note that because the Login activity processing is running in an unauthenticated requestor state. You can run into security issues with running activities that require authentication to run. You are limited to what you can call during the login processing but opening a Data-Table instance should be fine.
Hope this helps.
tcs
IN
Hi Chris,
Thanks for giving reply to my query.
i have checked System -> General -> Systems, Nodes and Requestors and identified there is Accessgroup----PRPC:Unauthenticated and this access group contains roles like below. to get permission what i need to do i am not clear about that. LDAP roles which we get from LDAP directorty that roles are different.
tcs
IN
Hi,
i have added proper role on Roles tab. Your solution working for me.
Thank you so much.
RajaSekhar
Pegasystems Inc.
US
Hi Rajasekhar,
Glad that it's working for you. Can you mark my first response to this thread as correct please. That will close this question down.
--Chris
Pegasystems Inc.
US
Hi Rajasekhar,
The roles in the AccessGroup used here are just the roles used during the login activity processing, they have nothing to do with the roles the users will have after they are authenticated.
You need a role here that will grant you access to open your data table instances during the authentication process.
The PRPC:Unauthenticated Accessgroup is not modifiable, you will get errors if you try to update it. What is your current system name?
Rajasejhar,
I can explain your issue.
Why you are getting "You are not authorized to open instance" and How to Solve this.
When the login activity is running it's running in an unauthenticated requestor using the a default AccessGroup used for unauthenticated users . This is the AccessGroup defined in your Data-Admin-Requestor.<SystemName>.Browser instance where <SystemName> is equal to your current system name. You can check the landing page under System -> General -> Systems, Nodes and Requestors. This will show you your current system name plus what default AccessGroup your browser requestor type for the System Name is currently using.
Once you find the AccessGroup you simply need to add a Role to that AccessGroup that will grant permission to open instances of your data tables classes. Then during the authentication you should not have this issue anymore.
Also note that because the Login activity processing is running in an unauthenticated requestor state. You can run into security issues with running activities that require authentication to run. You are limited to what you can call during the login processing but opening a Data-Table instance should be fine.
Hope this helps.