Data Services: Delegate Service Extension

Data Services is a collection of service extensions included in UXP Technology. Data Services’ extensions share metadata and setup; however, each service extension can be utilized independently. The service extension currently published is Delegate Service.

Delegate Service provides remote user-access management for UXP Objects.

Delegate Service is the extension for constructing and managing the Delegate Identity.

delegate services defined table


Data Services Database

The Data Services is a server-side-shared UXP SQL database utilizing SQLite. The Database stores individual User UXP Identities. These Users are shared with the Delegate Service for use, as needed, in a Delegate Identity.

The individual UXP Identities in the database can be replaced with updated Identity versions or removed from the database, as needed.

User

A User is the logical representation of the User’s UXP Identity. The Users individual UXP Identities are imported into the Data Services Database. The Database SYSADMIN controls and manages the User import process.

Users can be:

  • Administrators for Data Services
  • Delegate Identity owners, who can create and manage the Subscription List members, Delegate Subscribers
  • Delegate Subscribers

Connecting the User to UXP Object Access

  • The User attempts UXP Object access.
  • The initial validation of the User as a Subscriber.
  • The Subscriber’s User UXP Identity are securely sent to the UXP Object.
  • The User’s User Definition (from their UXP Identity) is temporarily substituted for the “proxy-User Definition” during authentication.

Delegate Service Components

Within Delegate Service, there are a number of components that are important to know where they fit into the construction/management framework. The interaction and relationship between these components is essential to purpose and function of Delegate Identities.

Delegate Identity

The Delegate Identity is a dynamic UXP Identity used by a UXP Object. Externally, a Delegate Identity and a UXP Identity appear the same. Internally, there is a difference between a Delegate Identity and a UXP Identity. A Delegate Identity’s KCL Code substitutes an internal proxy-User Definition instead of a real User Definition, associated to a process or human. A proxy-User Definition is not a valid user because it lacks user access credentials.

When a Delegate Identity is used to protect a UXP Object and an access attempt occurs, the proxy-User Definition is used in the validation process. This Definition contains attributes along with the Delegate Service server URL that permits a communication channel between the UXP Object and the Delegate Service.

The UXP Object can include more than one Delegate Identity.

Delegate Identities can originate from separate Delegate Service instances.

Delegate Identity Subscription List

The Delegate Identity Subscription List is a group of Users. Users are stored in the Data Services Database. Once in the Users are in the Database, they are ready for inclusion in any Delegate Identity Subscription List. When a User is included in the Subscription List for the Delegate Identity, the User is now called a Delegate Subscriber.

The Subscription List represents the permitted users who can access a UXP Object protected with the Delegate Identity. Each Delegate Identity has only one Subscription List associated to it.

The Delegate Identity Subscription List can serve as a logical workgroup; this concept is similar to an email distribution list, but the Subscription List has much more flexibility and power.

Changes made to the Subscription List positively affects previously constructed UXP Objects as well as Objects constructed in the future.

Delegate Subscriber

The Delegate Subscriber is a member of an active Delegate Identity Subscription List. Delegate Subscribers originate from the Users available in the Data Services Database. The Subscribers represent a logical link to the User’s UXP Identity in the Data Services database. Therefore, the actual User Definitions remain in the database.

During an access attempt to a UXP Object, the Delegate Identity communicates with the Delegate Service server. This communication is confirming the User attempting access is a legitimate Subscriber to the Subscription List.

Access will not be granted unless the User is a Subscriber to the Subscription List associated with the Delegate Identity.