Which user is attached to the session?
Every session must have a user attached to it. This user is used in the following way:
- If the call creates or modifies data, the user name is recorded as the
CreateUserorUpdateUser. - If the call creates a history event, the user is attached to the event.
- If the call assigns an object, the user name is used in "assigned by user" information.
Also, once Cloud API has confirmed there is sufficient authorization to use a given endpoint and view a given resource:
- If the call also triggers an authority limit check, the user's authority profiles are checked.
- If the call also triggers a domain-level permissions check, the user's permissions are checked.
Every caller can have their own user account
For some auth flows, every caller can have their own user account. In these situations, session users are assigned on a per-caller basis. These behaviors can also be controlled separately for each caller. The following Cloud API auth flows support this:
- Internal user
- Service with internal user context
- Service with service account mapping
Multiple callers share a single proxy user account
For other auth flows, multiple callers share a single proxy user account. This occurs in situations where individual callers are not listed in the PolicyCenter database, and therefore session users cannot vary from caller to caller. For these situations, a single proxy user is assigned to an entire type of caller (external user or service). The following Cloud API auth flows support this:
- External user
- Standalone service
- Service with external user context
Summary of behaviors
The following table summarizes these behaviors.
| Internal User | External User | Standalone service | Service with Internal User Context | Service with External User Context | Service with Service Account Mapping | |
|---|---|---|---|---|---|---|
| Can each call have its own user attached to the session? | Yes |
No (a single "external proxy user" is used for all relevant calls) |
No (a single "service proxy user" is used for all relevant calls) |
Yes |
No (a single "service proxy user" is used for all relevant calls) |
Yes |
For a summary of all the issues to consider in a single table, see Summary of the issues to consider.