Authentication and authorization in the BPC
The BPC uses external identity providers (IdP). Authentication and authorization is always carried out against this IdP.
You can find out which IdPs are supported at Create, configure and use an identity provider.
Access management
Access management is organized in the BPC via the assignment of individual users to organizations, roles and rights.
The assignment of users is usually carried out in your identity provider. In exceptional cases, this can also be done via the setting IdentityProvider_Mappings setting to assign organizations, roles and rights.
Logged-in users have a so-called session in the BPC context, which contains all information on assigned organizations, roles and rights. The BPC modules can access this information and configure access to data and functions depending on it.
Users can be assigned to an account via the Account module to view the organizations, roles and rights assigned to them.
|
The BPC ignores the upper and lower case of organizations, roles and rights.
This means that the roles |
Organizations
In BPC, an organization is a grouping characteristic for users that usually corresponds to the organizational structure in the company used.
Depending on the IdP used, other terms such as Gruppe or Benutzergruppe may be used there.
You can find out how to transfer these grouping characteristics to BPC organizations in the respective IdP configuration.
Active and inactive organizations
There is the option to differentiate between active and inactive organizations. Inactive organizations can also be assigned to the user by the IdP when logging in. Inactive organizations initially have no effect on visibility or permissions. However, the user has the option via the plugin Change the active organization or the User information page to set an organization as an active organization. In this case, BPC rebuilds the user session, sets the active organization and lists all other organizations as inactive organizations. This can subsequently affect the user’s visibility and permissions.
Roles
Roles are another grouping feature. This is generally used to bundle different Rights and assign them to users. The roles of a user are assigned to the individual users via the IdP.
Special role bpcuser
This role is assigned to every user who can successfully log in to the BPC. This role can be used to assign access rights, e.g. via IdentityProvider_Mappings to all users Rights.
Special role bpcadmin
This role implicitly contains all Rights. This makes this role very powerful and should be used sparingly.
|
This role implicitly contains no other Organizations or Roles.
If you restrict access at Organizations or Roles level, users with the |
Rights
The rights of a user are also defined by the identity provider. As with the roles and organizations, these are assigned directly to the user or implicitly via the assignment to a role or organization of the user.
You can find out which rights are taken into account and how in the description in the respective module.
Assignment of additional roles and rights by the BPC Core
The BPC offers the option of assigning additional roles and rights to a user in addition to the rights objects of the external IdP. This is done via mapping to existing organizations, roles and rights. It can be used primarily for the assignment of BPC-internal application rights.
Directory of available organizations/roles/rights stored in the BPC core if the IdP does not support this
If an OIDC provider such as Microsoft Azure AD, AWS Cognito or Keycloak (without Admin Client connection) is used as an identity provider, then no directory of roles, rights and organizations is available in the BPC frontend. In this case, these can be provided via the IdP mapping of the respective IdP Backend Connection.
For JAAS-based identity providers, rights can be provided in this way.
Organizations/roles/rights of users stored in the BPC Core if the IdP does not support this
Some IdPs are restricted in their function and do not offer any rights, for example (Karaf). In this case, the BPC Core stores these assignments in the IdP mapping of the respective IdP Backend Connection.
