Proxy users
When a caller makes a Cloud API call, Cloud API checks to see if the caller has sufficient endpoint access and resource access. If they do, Cloud API hands processing over to the appropriate internal ClaimCenter logic.
The internal ClaimCenter logic may trigger code that can only
be completed using a user account from the cc_user
table. For example:
- The call may create or modify data. When this occurs, ClaimCenter records the name of the
CreateUser
orUpdateUser
. - The call may trigger a domain-level permission check.
- For example, the call may attempt to assign an activity to the caller. To do this, ClaimCenter must verify that the caller has sufficient permission to own an activity.)
- The call may trigger an authority limit check.
- For example, the call may attempt to create a payment for $2000. ClaimCenter must check to see if the amount of the payment exceeds the caller's authority limit.
When the caller is an internal user, ClaimCenter uses the internal user account for these types of code.
- The internal user is recorded as the
CreateUser
orUpdateUser
. - The internal user's user roles are checked for domain-level permissions as needed.
- The internal user's authority limit profiles are checked for authority limit checks as needed.
However, external users and services are not listed in the cc_user
table. They cannot be recorded as a
CreateUser
or UpdateUser
. They also have no system
permissions or authority limits assigned to them. So, when a call is made by someone who is
not an internal user, ClaimCenter assigns a proxy
user to the call.
- If the call creates or modifies data, the proxy user is listed as the
CreateUser
orUpdateUser
. - If the call triggers a domain-level permissions check, the proxy user's user roles are checked.
- If the call triggers an authority profile check, the proxy user's authority profile limits are checked.
Types of proxy users
Fundamentally, there are three types of proxy users:
- The external proxy user is a proxy user assigned to calls made by external users and services with external user context.
- The service proxy user is a proxy user assigned to calls made by standalone services.
- The unauthenticated proxy user is a proxy user assigned to calls made by unauthenticated callers.
Note that for each type of caller listed above, there is only one proxy user. In other words, all external users and services with external user context make use of a single proxy user, the external proxy user. All standalone services make use of a single proxy user, the service proxy user.
Technically, there is a fourth type of proxy user, the default proxy user. This user is used in the unlikely situation that, for some reason, the regular proxy user cannot be assigned to the call.
Proxy users in the base configuration
The base configuration bootstrap data includes the following proxy users. (Bootstrap data is loaded when the product is installed. It is not a part of sample data.)
Proxy user type | Base configuration user | User role | Authority limit profile |
---|---|---|---|
External proxy user | extuser |
External User | (none) |
Service proxy user | serviceuser |
Service User | Service User |
Unauthenticated proxy user | uauser |
Unauthenticated User | (none) |
Default proxy user | defaultuser |
Default User | (none) |
To prevent anyone from logging in as one of these users, each of these users is created with a password that makes use of a character that is not valid Base64 encoding.
You can configure these users as needed. You can also create new users and designate any of them as a proxy user.
Proxy user assignment
Proxy users are assigned by the RestAuthenticationSourceCreatorPlugin
plugin. The following table details the conditions that determine which proxy user to assign
to a call.
Proxy user type | When this user type is assigned |
---|---|
External proxy user | The call includes the cc_policyNumbers scope or the
cc_gwabuid scope |
Service proxy user | The call includes the cc.service scope |
Unauthenticated proxy user | The call has no authentication header |
Default proxy user | The call requires a proxy user and for some reason no other proxy user could be assigned |
The RestAuthenticationSourceCreatorPlugin
plugin has four parameters, one
for each proxy user type. Each parameter is set to the ID of an internal user. When the
plugin must assign a given type of proxy user, the user with the associated user ID is
assigned as the proxy user.
The following table lists the parameters, the parameter settings in the base configuration, and the users the settings correspond to.
Parameter | Base configuration value | Corresponding base configuration user |
---|---|---|
externalUserPublicId |
default_data:extuser |
extuser |
servicePublicId |
default_data:serviceuser |
serviceuser |
unathenticatedUserPublicId |
default_data:uauser |
uauser |
defaultPublicId |
default_data:defaultuser |
defaultuser |