Home > Engine & Repository
Users and Roles Directory
EBX.Platform uses a directory for users authentication and users roles definition.
EBX.Platform then provides a default directory that is integrated to the repository. It is also possible to integrate a specific enterprise directory.
Conceptual Model: Users, Roles and Profiles
In EBX.Platform, a user can participate in several roles and a role can be shared by several users. Moreover, a role can be included in another role. The generic term "profile" describes either a user or a role.
In addition to the directory defined roles, EBX.Platform provides the following built-in roles:
| Role | Definition |
|---|---|
|
Profile.ADMINISTRATOR |
Built-in Administrator role. Administrator role allows to perform general administration tasks. |
|
Profile.PROVIDER |
Built-in Provider role. Provider role allows to create new root adaptations. |
|
Profile.READ_ONLY |
Built-in read-only role. A user associated to role read-only has no rights for doing any modifications on EBX.Platform repository. He can only visualize the repository. |
|
Profile.OWNER |
Dynamic built-in owner role. This role is checked dynamically for the current instance. It is activated only if the user belongs to the profile defined as owner of this current instance. |
|
Profile.DISTRIBUTOR |
Dynamic built-in distributor role. This role is checked dynamically for the current instance. It is activated only if the user belongs to the profile defined as distributor of the agreement that manages this current instance. |
|
Profile.EVERYONE |
All users have this role. |
Information related to profiles is mainly defined in the directory. However, an association between a user and one of the last three roles ( OWNER, DISTRIBUTOR, EVERYONE ) must not be managed by the directory, since EBX.Platform is assigned to perform this task automatically. Furthermore, permissions are managed independently of the directory (see chapter Permissions ).
Default directory
Directory's content
The default directory is represented by the adaptation named ebx-directory, defined in the "Reference" branch.
This adaptation contains two tables: one for the users and one for the roles. By default, only the administrator is allowed to modify the directory. However, each user can modify his own information except his roles.
Note: It is not possible to delete or duplicate the directory.
Password recovery procedure
In the default directory, passwords are encrypted (by default with a SHA256 algorithm) and persisted in this state. Consequently, if a user loses his password, there are no possibilities to retrieve it. Then, a new password has to be generated and sent to the user.
There are two options for this procedure:
A notification mail is sent to the administrator, the administrator changes manually the password and sends it to the user.
A procedure generates automatically a new password and sends it to the user.
By default, the first option is used. For activating the second option, the file ebx.properties must specify the property:
ebx.password.remind.auto=true.
Administrator recovery procedure
The administrator can also lose his password or login. In this case, the procedure above does not work. In order to resolve this problem, a specific directory class redefines an administrator user with the login "admin" and the password "admin". For activating this procedure, the file ebx.properties must specify the following line: ebx.directory.factory=com.orchestranetworks.service.directory.DirectoryDefaultRecoverFactory
Once EBX.Platform has been restarted and restopped, this line must be set back to its default.
Specific directory
As an alternative to the default directory, it is possible to integrate a specific enterprise directory. For example, a LDAP instance, a relational database or a specific directory model instanciated into EBX.Platform.
For more information, see DirectoryFactory Javadoc.
Home > Engine & Repository