Proxy user access

A proxy user is an internal user account in the PolicyCenter database that is assigned to certain types of Cloud API calls made by external users or services. If the call records information or executes a permissions check that requires an internal user account, the proxy user account is used. This type of access is referred to as proxy user access.

Proxy user access is defined by the RestAuthenticationSourceCreatorPlugin plugin and a set of proxy users. This topic describes how to work with proxy users.

Note: Proxy users do not apply to internal users (using either basic authentication or bearer token authentication). Proxy users are relevant only for external users, anonymous users, standalone services, services with external user context, and unauthenticated callers.

Proxy users

When a caller makes a Cloud API call, Cloud API checks to see if the caller has sufficient endpoint access and resource access. If they do, Cloud API hands processing over to the appropriate internal PolicyCenter logic.

The internal PolicyCenter logic may trigger code that can only be completed using a user account from the pc_user table. For example:

The call may create or modify data. When this occurs, PolicyCenter records the name of the CreateUser or UpdateUser.
The call may trigger a domain-level permission check.
- For example, the call may attempt to assign an activity to the caller. To do this, PolicyCenter must verify that the caller has sufficient permission to own an activity.)
The call may trigger an authority limit check.
- For example, the call may attempt to create a collision coverage with a deductible less than $1000. PolicyCenter must check to see if the amount of the coverage term is within the caller's authority limit.

When the caller is an internal user, PolicyCenter uses the internal user account for these types of code.

The internal user is recorded as the CreateUser or UpdateUser.
The internal user's user roles are checked for domain-level permissions as needed.
The internal user's authority limit profiles are checked for authority limit checks as needed.

However, external users and services are not listed in the pc_user table. They cannot be recorded as a CreateUser or UpdateUser. They also have no system permissions or authority limits assigned to them. So, when a call is made by someone who is not an internal user, PolicyCenter assigns a proxy user to the call.

If the call creates or modifies data, the proxy user is listed as the CreateUser or UpdateUser.
If the call triggers a domain-level permissions check, the proxy user's user roles are checked.
If the call triggers an authority profile check, the proxy user's authority profile limits are checked.

Types of proxy users

Fundamentally, there are three types of proxy users:

The external proxy user is a proxy user assigned to calls made by external users and services with external user context.
The service proxy user is a proxy user assigned to calls made by standalone services.
The unauthenticated proxy user is a proxy user assigned to calls made by unauthenticated callers.

Note that for each type of caller listed above, there is only one proxy user. In other words, all external users and services with external user context make use of a single proxy user, the external proxy user. All standalone services make use of a single proxy user, the service proxy user.

Technically, there is a fourth type of proxy user, the default proxy user. This user is used in the unlikely situation that, for some reason, the regular proxy user cannot be assigned to the call.

Proxy users in the base configuration

The base configuration bootstrap data includes the following proxy users. (Bootstrap data is loaded when the product is installed. It is not a part of sample data.)


Proxy user type	Base configuration user	User role	UW authority profile
External proxy user	`extuser`	External User	External User Profile
Service proxy user	`serviceuser`	Service User	Service User Profile
Unauthenticated proxy user	`uauser`	Unauthenticated User	Unauthenticated User Profile
Default proxy user	`defaultuser`	Default User	(none)

To prevent anyone from logging in as one of these users, each of these users is created with a password that makes use of a character that is not valid Base64 encoding.

You can configure the user roles and authority limit profiles referenced by these users. But, Guidewire recommends that you do not configure the users themselves.

Warning: Do not remove the base configuration proxy users from your database. If these proxy users do not exist, authorization will not behave as expected.

Proxy user assignment

Proxy users are assigned by the RestAuthenticationSourceCreatorPlugin plugin. The following table details the conditions that determine which proxy user to assign to a call.


Proxy user type	When this user type is assigned
External proxy user	The call includes the `pc_accountNumbers` scope
Service proxy user	The call includes the `pc.service` scope
Unauthenticated proxy user	The call has no authentication header
Default proxy user	The call requires a proxy user and for some reason no other proxy user could be assigned

Warning: Do not modify the settings in the RestAuthenticationSourceCreatorPlugin plugin that identify the users for each proxy user type. Doing so could make the authorization functionality not behave as expected.

When is proxy user information used?

Proxy users as the "user of record"

Some of the actions that a user can execute in PolicyCenter require the user's name to be recorded in the database. For example:

When an object (such as an activity or a note) is created, the user who created it is stored in the object's CreateUser field.
When an object (such as an activity or a note) is modified, the user who modified it is stored in the object's UpdateUser field.

Actions that require a "user of record" can be triggered by Cloud API calls. When the call is triggered by an internal user, the internal user is noted as the user of record. When the call is triggered by an external user or service, the proxy user is noted as the user of record.

Proxy users and system permissions

A Cloud API call may trigger a check to see if the caller has a specific system permission. When this occurs, PolicyCenter checks to see if the proxy user has a user role that includes the system permission.

If the proxy user has the permission, processing continues as normal.
If the proxy user does not have the permission, the action is prevented.

For more information on roles and permissions, refer to the Application Guide.

Proxy users and authority limits

A Cloud API call may trigger a check to see if the caller has sufficient financial authority to execute a given action. When this occurs, PolicyCenter checks to see if the proxy user has an authority limit profile with the corresponding authority limit set to a sufficiently high amount.

If the proxy user has a sufficiently high authority limit, processing continues as normal.
If the proxy user does not have a sufficiently high authority limit, processing is suspended. PolicyCenter automatically creates an approval activity and assigns it to the appropriate user. If the activity is approved, processing for the underlying transaction continues.

For more information on authority limits, refer to the Application Guide.

Configuring proxy users

Modifying system permissions for proxy users

System permissions control a user's ability to access data or take action within a Guidewire application. But, system permissions do not provide the ability to use Cloud API endpoints. The ability to use Cloud API endpoints and access fields on Cloud API resources is controlled by API roles.

If you need to modify the permissions for a proxy user, there are different possible scenarios:

The proxy user has all required system permissions, but the calling user does not have access to the required endpoints and/or the required fields on the endpoint resources. In this case, you need to modify the appropriate API role files (such as the Producer.role.yaml file).
The calling user has access to the required endpoints and/or the required fields on the endpoint resources, but their proxy user does not have all required system permissions. In this case, you need to modify the user role associated with the proxy user (such as the "External User" role).
The calling user lacks access to the required endpoints and/or the required fields on the endpoint resources, and their associated proxy user lacks the required system permissions. In this case, you need to modify both the appropriate API role files (such as the Producer.role.yaml file) and the user role associated with the proxy user (such as the "External User" role).

For more information on configuring API roles, see Endpoint access.

For more information on configuring user roles, see the Application Guide.

Modifying authority limit profiles for proxy users

Authority limits determine whether a user can create a financial object (such as a claim reserve, a coverage, or a goodwill credit) without requiring approval. If the amount of the object is at or below the user's limit, no approval is needed. If the amount is above the user's limit, approval is required.

Unlike permissions, authority limits are controlled exclusively within the authority limit profiles in the Guidewire application. There is no Cloud API analog to authority limit profiles. If you need to modify the authority limits for a proxy user, you must modify the authority limit associated with that proxy user.

For more information on configuring authority limit profiles, see the Application Guide.

Do not modify which users are the proxy users

The base configuration provides four proxy users: extuser, serviceuser, uauser, and defaultuser. Guidewire recommends against modifying these users or the references to these users in the RestAuthenticationSourceCreatorPlugin. Doing so could make the authorization functionality not behave as expected.