Proxy user access
A proxy user is an internal user account in the PolicyCenter database that is assigned to certain types of Cloud API calls made by external users or services. If the call records information or executes a permissions check that requires an internal user account, the proxy user account is used. This type of access is referred to as proxy user access.
Proxy user access is defined by the RestAuthenticationSourceCreatorPlugin
plugin and a set of proxy users. This topic describes how to work with proxy users.
Proxy users
When a caller makes a Cloud API call, Cloud API checks to see if the caller has sufficient endpoint access and resource access. If they do, Cloud API hands processing over to the appropriate internal PolicyCenter logic.
The internal PolicyCenter logic may trigger code that can only
be completed using a user account from the pc_user
table. For example:
- The call may create or modify data. When this occurs, PolicyCenter records the name of the
CreateUser
orUpdateUser
. - The call may trigger a domain-level permission check.
- For example, the call may attempt to assign an activity to the caller. To do this, PolicyCenter must verify that the caller has sufficient permission to own an activity.)
- The call may trigger an authority limit check.
- For example, the call may attempt to create a collision coverage with a deductible less than $1000. PolicyCenter must check to see if the amount of the coverage term is within the caller's authority limit.
When the caller is an internal user, PolicyCenter uses the internal user account for these types of code.
- The internal user is recorded as the
CreateUser
orUpdateUser
. - The internal user's user roles are checked for domain-level permissions as needed.
- The internal user's authority limit profiles are checked for authority limit checks as needed.
However, external users and services are not listed in the pc_user
table. They cannot be recorded as a
CreateUser
or UpdateUser
. They also have no system
permissions or authority limits assigned to them. So, when a call is made by someone who is
not an internal user, PolicyCenter assigns a proxy
user to the call.
- If the call creates or modifies data, the proxy user is listed as the
CreateUser
orUpdateUser
. - If the call triggers a domain-level permissions check, the proxy user's user roles are checked.
- If the call triggers an authority profile check, the proxy user's authority profile limits are checked.
Types of proxy users
Fundamentally, there are three types of proxy users:
- The external proxy user is a proxy user assigned to calls made by external users and services with external user context.
- The service proxy user is a proxy user assigned to calls made by standalone services.
- The unauthenticated proxy user is a proxy user assigned to calls made by unauthenticated callers.
Note that for each type of caller listed above, there is only one proxy user. In other words, all external users and services with external user context make use of a single proxy user, the external proxy user. All standalone services make use of a single proxy user, the service proxy user.
Technically, there is a fourth type of proxy user, the default proxy user. This user is used in the unlikely situation that, for some reason, the regular proxy user cannot be assigned to the call.
Proxy users in the base configuration
The base configuration bootstrap data includes the following proxy users. (Bootstrap data is loaded when the product is installed. It is not a part of sample data.)
Proxy user type | Base configuration user | User role | UW authority profile |
---|---|---|---|
External proxy user | extuser |
External User | External User Profile |
Service proxy user | serviceuser |
Service User | Service User Profile |
Unauthenticated proxy user | uauser |
Unauthenticated User | Unauthenticated User Profile |
Default proxy user | defaultuser |
Default User | (none) |
To prevent anyone from logging in as one of these users, each of these users is created with a password that makes use of a character that is not valid Base64 encoding.
You can configure the user roles and authority limit profiles referenced by these users. But, Guidewire recommends that you do not configure the users themselves.
Proxy user assignment
Proxy users are assigned by the RestAuthenticationSourceCreatorPlugin
plugin. The following table details the conditions that determine which proxy user to assign
to a call.
Proxy user type | When this user type is assigned |
---|---|
External proxy user | The call includes the pc_accountNumbers scope |
Service proxy user | The call includes the pc.​service scope |
Unauthenticated proxy user | The call has no authentication header |
Default proxy user | The call requires a proxy user and for some reason no other proxy user could be assigned |
RestAuthenticationSourceCreatorPlugin
plugin that identify the users for
each proxy user type. Doing so could make the authorization functionality not behave as
expected.When is proxy user information used?
Proxy users as the "user of record"
Some of the actions that a user can execute in PolicyCenter require the user's name to be recorded in the database. For example:
- When an object (such as an activity or a note) is created, the user who created it is
stored in the object's
CreateUser
field. - When an object (such as an activity or a note) is modified, the user who modified it is
stored in the object's
UpdateUser
field.
Proxy users and system permissions
A Cloud API call may trigger a check to see if the caller has a specific system permission. When this occurs, PolicyCenter checks to see if the proxy user has a user role that includes the system permission.
- If the proxy user has the permission, processing continues as normal.
- If the proxy user does not have the permission, the action is prevented.
For more information on roles and permissions, refer to the Application Guide.
Proxy users and authority limits
A Cloud API call may trigger a check to see if the caller has sufficient financial authority to execute a given action. When this occurs, PolicyCenter checks to see if the proxy user has an authority limit profile with the corresponding authority limit set to a sufficiently high amount.
- If the proxy user has a sufficiently high authority limit, processing continues as normal.
- If the proxy user does not have a sufficiently high authority limit, processing is suspended. PolicyCenter automatically creates an approval activity and assigns it to the appropriate user. If the activity is approved, processing for the underlying transaction continues.
For more information on authority limits, refer to the Application Guide.
Configuring proxy users
Modifying system permissions for proxy users
System permissions control a user's ability to access data or take action within a Guidewire application. But, system permissions do not provide the ability to use Cloud API endpoints. The ability to use Cloud API endpoints and access fields on Cloud API resources is controlled by API roles.
If you need to modify the permissions for a proxy user, there are different possible scenarios:
- The proxy user has all required system permissions, but the calling user does not have
access to the required endpoints and/or the required fields on the endpoint resources. In
this case, you need to modify the appropriate API role files (such as the
Producer.role.yaml
file). - The calling user has access to the required endpoints and/or the required fields on the endpoint resources, but their proxy user does not have all required system permissions. In this case, you need to modify the user role associated with the proxy user (such as the "External User" role).
- The calling user lacks access to the required endpoints and/or the required fields on
the endpoint resources, and their associated proxy user lacks the required system
permissions. In this case, you need to modify both the appropriate API role files (such as
the
Producer.role.yaml
file) and the user role associated with the proxy user (such as the "External User" role).
For more information on configuring API roles, see Endpoint access.
For more information on configuring user roles, see the Application Guide.
Modifying authority limit profiles for proxy users
Authority limits determine whether a user can create a financial object (such as a claim reserve, a coverage, or a goodwill credit) without requiring approval. If the amount of the object is at or below the user's limit, no approval is needed. If the amount is above the user's limit, approval is required.
Unlike permissions, authority limits are controlled exclusively within the authority limit profiles in the Guidewire application. There is no Cloud API analog to authority limit profiles. If you need to modify the authority limits for a proxy user, you must modify the authority limit associated with that proxy user.
For more information on configuring authority limit profiles, see the Application Guide.
Do not modify which users are the proxy users
The base configuration provides four proxy users: extuser
,
serviceuser
, uauser
, and defaultuser
.
Guidewire recommends against modifying these users or the references to these users in the
RestAuthenticationSourceCreatorPlugin
. Doing so could make the
authorization functionality not behave as expected.