Where do authorization values come from?
For every caller, you need to store a set of values that determine the caller's endpoint access. These values determine which endpoints and operations the caller can use. For some callers, you must also store values that determine the caller's resource access. These values determine which specific instances of a given resource the caller can view or edit. These are collectively referred to here as authorization values.
The IdP
For some auth flows, the IdP must either store the authorization values or provide some sort of lookup value that can be used to retrieve the authorization values from an additional authorization system. The authorization values (or the lookup value) must be included in the IdP's SAML response. The following Cloud API auth flows support this:
- Internal user
- External user
The caller application itself
For other auth flows, the caller application itself must either provide the authorization values or provide some sort of lookup value that can be used to retrieve the authorization values from an additional authorization system. The following Cloud API auth flows support this:
- Standalone service
- Service with internal user context
- Service with external user context
The Guidewire configuration
For the service with service account mapping auth flow, the caller application provides a client ID. This ID is mapped to a service account in the PolicyCenter database, and this service account is used to determine the authorization values. For this auth flow, the authorization values come from the mapping information, which is stored in the Guidewire configuration itself.
Summary of behaviors
The following table summarizes these behaviors.
| Internal User | External User | Standalone service | Service with Internal User Context | Service with External User Context | Service with Service Account Mapping | |
|---|---|---|---|---|---|---|
| Where do authorization values (or an appropriate lookup value) come from? | The IdP | The IdP | The service itself (endpoint access values only; resource access IDs are not applicable) | The service itself | The service itself | The Guidewire configuration |
For a summary of all the issues to consider in a single table, see Summary of the issues to consider.