Authentication and authorization in the BPC
The BPC uses external identity providers (IdP). Authentication and authorization is always carried out against this IdP.
You can find out which IdPs are supported at Create, configure and use an identity provider.
Access management
Access management is organized in the BPC via the assignment of individual users to organizations, roles and rights.
The assignment of users is usually carried out in your identity provider. In exceptional cases, this can also be supplemented via the IdentityProvider_Mappings setting by assigning organizations, roles and rights.
Logged-in users have a so-called session in the BPC context, which contains all information on assigned organizations, roles and rights. The BPC modules can access this information and configure access to data and functions depending on it.
Users can view the organizations, roles and rights assigned to them via the account module.
|
In the BPC, the upper and lower case of organizations, roles and rights is ignored.
This means that the role |
Organizations
In BPC, an organization is a grouping characteristic for users that usually corresponds to the organizational structure in the company used.
Depending on the IdP used, other terms such as Gruppe or Benutzergruppe may be used there.
You can find out how to transfer these grouping characteristics to BPC organizations in the respective IdP configuration.
Active and inactive organizations
There is the option to differentiate between active and inactive organizations. The IdP can also assign inactive organizations to the user during login. Inactive organizations initially have no effect on visibility or permissions. However, the user has the option of setting an organization as an active organization via the plugin Change the active organization or the user information page. In this case, BPC rebuilds the user session, sets the active organization and lists all other organizations as inactive organizations. This can then have an effect on the user’s visibility and permissions.
Roles
Roles are another grouping feature. This is generally used to bundle various Rights and assign them to users. The roles of a user are assigned to the individual users via the IdP.
Special role bpcuser
This role is assigned to every user who can successfully log in to the BPC. This role can be used to assign Rights to all users via IdentityProvider_Mappings, for example.
Special role bpcadmin
This role implicitly contains all Rights. This makes this role very powerful and should be used sparingly.
|
This role implicitly contains no other Organizations or Roles.
If you restrict access at the level of Organizations or Roles, users with the |
Rights
The rights of a user are also defined by the identity provider. Similar to the roles and organizations, these are assigned directly to the user or implicitly via the assignment to a role or organization of the user.
You can find out which rights are taken into account and how in the description in the respective module.
Assignment of additional roles and rights by the BPC Core
The BPC offers the option of assigning additional roles and rights to a user in addition to the rights objects of the external IdP. This is done by mapping to existing organizations, roles and rights. It can be used primarily for the assignment of BPC-internal application rights.
Directory of available organizations/roles/rights stored in the BPC core if the IdP does not support this
If you use an OIDC provider such as Microsoft Azure AD, AWS Cognito or Keycloak (without Admin Client connection) as an identity provider, then there is no directory of roles, rights and organizations available in the BPC frontend. In this case, these can be provided via the IdP mapping of the respective IdP Backend Connection.
Rights can be provided in this way for JAAS-based identity providers.
Organizations/roles/rights of users stored in the BPC Core if the IdP does not support this
Some IdPs are restricted in their function and do not offer any rights (Karaf) or you cannot add new roles/rights (INUBIT), for example. In this case, the BPC Core stores these assignments in the IdP mapping of the respective IdP backend Connection.
