• If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Announcement

Collapse
No announcement yet.

Valence Login Feature - bypassing IBM i Authentication

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Valence Login Feature - bypassing IBM i Authentication

    Portal Admin UI supports a feature to define a Valence Login - this means you do not require a valid IBM i profile.

    We have a situation where we wish to allow a specific app to be available to several hundred users who do not have an IBM i Login. This can be achieved by using Valence Logins.

    1. When an IBM i profile is specified, VVCALL will override the user replacing QTMHHTP1.

    2. When a Valence profile is specified, VVCALL will NOT override the user (does not exist). Remains QTMHHTP1.

    When the latter occurs, QTMHHTP1 is the user processing the request and object authority is limited to QTMHHTP1. Adopted authority does not take effect.

    Our object authority is based on program Adopted Authority. This works perfectly when an IBM i profile is defined but ignored when using Valence profiles. In my test case, we were not authorised to write to a table.

    Request. We require the Valence profile to behave as though it is as a valid IBM i User. This would allow SQL query over the database to select records that match the (Valence User or Windows Login). Is that possible?.
    Tags: None
  • #2
    To clarify what's happening: It is actually the Apache Server that overrides the default job user (QTMHHTTP) of each CGI job to a current user of QTMHHTP1 when called from the front-end. The job is subsequently overridden by VVCALL to the IBM i user associated with the Valence profile making the call. More info on that topic can be found here.

    As you've discovered, the QTMHHTP1 profile typically has limited authority, so you wouldn't want to let the CGI job defer to that profile in most cases. Instead you should set up a generic IBM i user profile for your non-IBM i Valence users to handle the back-end authority as needed.

    You should be able to achieve what you're looking to do by going into Portal Admin > Users and adding an IBM i profile -- something different from the user ID -- to each Valence-specific user, like this:

    generic_user_profile.jpg

    In this example, when dummy@cnxcorp.com logs into Valence and launches an app, the back-end CGI jobs will run under IBM i user GENERALUSR instead of QTMHHTP1.

    One important setup item to consider: In Portal Admin > Settings, in the "Login Method" section, be sure the "Use IBM i password at login" checkbox in the "Valence Password Rules" subsection is unchecked. Otherwise Valence-specific users that are cross-referenced to an IBM i profile (GENERALUSR in this example) would have to enter the password associated with the IBM i profile instead of the password associated with their Valence user ID (dummy@cnxcorp.com).

    Comment

    • #3
      Thanks. I had already tried your recommendation and confirned adopted authority worked as expected.

      I was more curious about why adopted authority failed when no valid IBM i profile existed. It makes sense that Apache disregards adopted authority to protect the IBM i from outside intrusion when the profile is not found.

      Back to the setup where we override the Valence profile to the IBM i profile.
      If you do an SQL to pick up the current user (select current user from sysibm.sysdummy1) it will use the IBM i profile - but in my case I want the Valence profile value.

      WHERE myUSER = Valence Current User

      I have SQL data sources that currently reference Current User but I would like this value to pick up the Valence User (are there any tricks to do this when defining an SQL data source).

      I have mentioned this previously: Would it be possible in an SQL data source to support Valence System values to be used in the WHERE clause.

      An SQL function to return the Valence Current User would also work. Could this be included in the Valence base product.

      Comment

      • #4
        Hi Jim,

        In an upcoming update we will add the ability to pull in the Valence user id.

        Below is an example on how it would work:

        Code:
        SELECT
  vvusrid,
  vvactiv,
  vvibmiuser,
  vvdesc,
  vvlname,
  vvfname,
  vvmidinit,
  vvemail
FROM
  vvusers
WHERE
  (vvloginid = vvin_char('vvUser'))

        Comment

        Previous template Next
        Working...
        X