Proxy users
When a caller makes a Cloud API call, Cloud API checks to see if the caller has sufficient endpoint access and resource access. If they do, Cloud API hands processing over to the appropriate internal PolicyCenter logic.
The internal PolicyCenter logic may trigger code that can only
be completed using a user account from the pc_user table. For example:
- The call may create or modify data. When this occurs, PolicyCenter records the name of the
CreateUserorUpdateUser. - The call may trigger a domain-level permission check.
- For example, the call may attempt to assign an activity to the caller. To do this, PolicyCenter must verify that the caller has sufficient permission to own an activity.)
- The call may trigger an authority limit check.
- For example, the call may attempt to create a collision coverage with a deductible less than $1000. PolicyCenter must check to see if the amount of the coverage term is within the caller's authority limit.
When the caller is an internal user, PolicyCenter uses the internal user account for these types of code.
- The internal user is recorded as the
CreateUserorUpdateUser. - The internal user's user roles are checked for domain-level permissions as needed.
- The internal user's authority limit profiles are checked for authority limit checks as needed.
However, external users and services are not listed in the pc_user table. They cannot be recorded as a
CreateUser or UpdateUser. They also have no system
permissions or authority limits assigned to them. So, when a call is made by someone who is
not an internal user, PolicyCenter assigns a proxy
user to the call.
- If the call creates or modifies data, the proxy user is listed as the
CreateUserorUpdateUser. - If the call triggers a domain-level permissions check, the proxy user's user roles are checked.
- If the call triggers an authority profile check, the proxy user's authority profile limits are checked.
Types of proxy users
Fundamentally, there are three types of proxy users:
- The external proxy user is a proxy user assigned to calls made by external users and services with external user context.
- The service proxy user is a proxy user assigned to calls made by standalone services.
- The unauthenticated proxy user is a proxy user assigned to calls made by unauthenticated callers.
Note that for each type of caller listed above, there is only one proxy user. In other words, all external users and services with external user context make use of a single proxy user, the external proxy user. All standalone services make use of a single proxy user, the service proxy user.
Technically, there is a fourth type of proxy user, the default proxy user. This user is used in the unlikely situation that, for some reason, the regular proxy user cannot be assigned to the call.
Proxy users in the base configuration
The base configuration bootstrap data includes the following proxy users. (Bootstrap data is loaded when the product is installed. It is not a part of sample data.)
| Proxy user type | Base configuration user | User role | UW authority profile |
|---|---|---|---|
| External proxy user | extuser |
External User | External User Profile |
| Service proxy user | serviceuser |
Service User | Service User Profile |
| Unauthenticated proxy user | uauser |
Unauthenticated User | Unauthenticated User Profile |
| Default proxy user | defaultuser |
Default User | (none) |
To prevent anyone from logging in as one of these users, each of these users is created with a password that makes use of a character that is not valid Base64 encoding.
You can configure these users as needed. You can also create new users and designate any of them as a proxy user.
Proxy user assignment
Proxy users are assigned by the RestAuthenticationSourceCreatorPlugin
plugin. The following table details the conditions that determine which proxy user to assign
to a call.
| Proxy user type | When this user type is assigned |
|---|---|
| External proxy user | The call includes the pc_accountNumbers scope |
| Service proxy user | The call includes the pc.​service scope |
| Unauthenticated proxy user | The call has no authentication header |
| Default proxy user | The call requires a proxy user and for some reason no other proxy user could be assigned |
The RestAuthenticationSourceCreatorPlugin plugin has four parameters, one
for each proxy user type. Each parameter is set to the ID of an internal user. When the
plugin must assign a given type of proxy user, the user with the associated user ID is
assigned as the proxy user.
The following table lists the parameters, the parameter settings in the base configuration, and the users the settings correspond to.
| Parameter | Base configuration value | Corresponding base configuration user |
|---|---|---|
externalUserPublicId |
default_data:extuser |
extuser |
servicePublicId |
default_data:serviceuser |
serviceuser |
unathenticatedUserPublicId |
default_data:uauser |
uauser |
defaultPublicId |
default_data:defaultuser |
defaultuser |