Using the Current User's Identity (FQN) option in a Service Object Mapping uses the Users FQN instead of Account Configured in the Service Broker

  • 16 February 2021
  • 0 replies
  • 349 views

Userlevel 5
Badge +20
 

Sending Identity Information to a Line of Business System

KB002942

PRODUCT
K2 Five

 

SmartObjects allow you to connect K2 to line of business systems (LOBs) to query and update data using SmartObject methods like create, load (read), update and delete. It is often important to know who is executing these SmartObject methods for security and auditing purposes. There are several ways to pass user context to a LOB system, including:

  • Using the Impersonation authentication mode on the service instance
  • Using the OAuth authentication mode on the service instance
  • Using the SSO authentication mode on the service instance
  • For the SQL Server service type, setting the Set the impersonation user on the DB ContextInfo property to True
  • In SmartForms using the System Values > Current User > FQN system value in a rule action to pass the current user identity to the SmartObject method
  • In Advanced SmartObject Methods using the Current User’s Identity (FQN) system value to pass the current user identity to the SmartObject method

This article discusses the Current User’s Identity (FQN) system value, and using it in an advanced SmartObject method to pass the current user's fully-qualified name (FQN) to the LOB system. This is useful when the initial connection to your LOB system cannot use one of the impersonation or single sign-on connection methods listed above.

 

The Current User's Identity (FQN) option is a system value that you find in the Service Object method mappings window when designing an advanced SmartObject, as shown here:

Image

When using this option, the identity of the person executing the SmartObject method is sent to the input property, regardless of how the service instance authetication mode is configured. This allows you to create custom logic in your LOB system to use the passed identity, typically for security and auditing purposes.

Here is an example: suppose that you configured a service instance authentication mode to be Static, using the identity DenallixK2Service as the static credential to authenticate with the LOB system. Now suppose that you have a SmartObject that connects to that target LOB system, and you configured the SmartObject method to pass in the Current User's Identity as a property in the SmartObject method. At runtime, the user Bob executes the SmartObject from, for example, a SmartForm. While the service instance will authenticate to the LOB system using the static credentials defined for the Service Instance, the value K2:DenallixBob is passed to your LOB system as a SmartObject property. Now your LOB system can take that property and perform additional security or auditing operations based on Bob's identity, rather than the static service instance credentials.

Using this SmartObject system value is different than using the FQN system value in a rule in SmartForms. In SmartForms, the logic to get the user's FQN takes place on the form in the browser, which is client-side. The Current User's Identity (FQN) SmartObject value passes user context at the SmartObject level, which happens server-side, and is a more  secure approach.

Considerations

  • The FQN is a string/text value. Use the Text data type for your SmartObject property input mapping in your SmartObject method, to contain the string value of the FQN.
  • The Current User's Identity (FQN) system value functions with all security labels and authentication modes.
  • The security label will be passed in along with the user FQN, for example K2:DenallixBob. You may need to add some logic in the LOB system to handle the security label, for example stripping out the K2: label part of the FQN.
  • When a SmartObject is executed within a workflow, the identity of the K2 service account is passed. This is true for all workflow server steps, since these events execute in the context of the K2 service account (except if you used the Run As feature to set alternate credentials for that server step, in which case those alternate credentials will be passed).
  • For SQL Server instances, you can use either set the Set the impersonation user on the DB ContextInfo property on the service instance to True or configure the Current User's Identity (FQN) system value on each SmartObject method.

For more information about configuring advanced SmartObjects, see the Advanced SmartObjects: Methods topic in Help.

 


0 replies

Be the first to reply!

Reply