User management run time API configuration

You can configure the user management run time API in order to retrieve authorization information from the transaction authorization provider.

About this task

The user management run time API is responsible for obtaining the authorization information during run time from transaction authorization provider. The API provides a level of indirection between transaction authorization provider running in InfoSphere® MDM run time and consumers of user management information, allowing clients to plug in alternative API implementations in order to retrieve users and roles information from external transaction authorization provider.

The UserManagementProvider interface defines the methods for obtaining users and roles information, as shown in the following class diagram.

This interface must be implemented by a concrete user management provider class that is responsible for retrieving user and roles information in InfoSphere MDM run time. The user management provider class must be registered with InfoSphere MDM run time by providing a fully-classified class name as a value for the Configuration Management property /IBM/DWLCommonServices/UserManagement/user_management_provider_class_name.

A new service definition for the custom User Management Provider must be defined and must follow the following blueprint definition template:
<service id="CustomUserManagementProvider" interface="com.ibm.mdm.common.servicefactory.api.CommonServiceFactory">
		<service-properties>
			<entry key="common.service" value="UserManagementProvider.my.company.CustomUserManagementProvider"/>
		</service-properties>
		<bean class="com.ibm.mdm.common.servicefactory.CommonServiceFactoryImpl">
			<argument type="java.lang.Class" value="com.ibm.mdm.usermanagement.UserManagementProvider"/>
			<argument type="java.lang.Class" value="my.company.CustomUserManagementProvider" />			
			<argument ref="blueprintBundle"/>			
		</bean>
	</service>
The common.service service property must be prefixed with UserManagementProvider followed by the UserManagementProvider class name. The first class argument must be com.ibm.mdm.usermanagement.UserManagementProvider, which represents the service interface. The second class argument must be set to the new UserManagementProvider class.

The blueprint service definition along with the user management provider class must be packaged in a bundle and deployed on the server in a Composite bundle (CBA) and set as an composition unit (CU) extension of the EBA. (Operational Server EBA).

User management interface class diagram

InfoSphere MDM provides a default implementation class (DefaultUserManagementProvider) to retrieve data from the default transaction authorization provider, where authorization information is stored in relational database, with the user represented by a record in USERPROFILE table and the role represented by a record in GROUPPROFILE table:

  • getRolesByUser returns the vector of the role names. The role name is a string containing the value from GROUPPROFILE.group_name field.
  • getUsersByRole returns the vector of the user names. The user name is a string containing the value from the USERPROFILE.user_id field.
  • isValidUser determines if the user is valid, based on whether the user name is present in USERPROFILE.user_id field.
  • isValidRole determines if the role is valid, based on whether the role name is present in GROUPPROFILE.group_name field.
For more details on how to add or update user information for default authentication provider, see Security Data Manager.