With no access control engaged, any anonymous user may gain access to the resource - the system does not ask for user identity or access rights.
With access control set to one of the three above-mentioned types, the following validations happen:
- Identification - the system must be able to identify the user by the session token, without consideration for session token expiry, or other session validation rules. There are no requirements for the user to be active, user account to be not expired, etc., i.e. identification succeeds if user session is found and it belongs to one of existing users.
- Authentication - the system validates both user session and user account. The following conditions must be met for a successful authentication:
- Session token must correspond to an existing user session
- User session must be valid (not expired)
- User must have access to an application in the activity context of which the session is validated
- User account must be active and not expired (note that account lock does not affect success of effective session validation - it only affects session creation and renewal processes)
- Advanced: If session signature support is enabled, session signature must pass validation
- Authorization - system authenticates user (as described above) and also validates permission to access a resource. Authorization process always matches user with a particular resource, however, net permission is calculated via user membership in user groups and application roles on one side, and resource membership in resource groups on another side. Permission may be set between any entities on each side (users/user groups/application roles and resources/resource groups), and net permissions are calculated from this metadata.
Additional types of access control in Arnica Platform applications are conditional identification and conditional authentication. With these access control types, identification or authentication are performed only if session token exists. This type of access control is used when knowing user identity is not mandatory and anonymous is permitted, however, false identity (with false session identifier) should be blocked.
Identification, authentication and authorization services are provided by Arnica UnifiedLogon, and consumed by other applications in Arnica Platform, as well as any other third party or custom applications integrated with UnifiedLogon.