Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Tax Balance heavily relies on the Portal application provided by AMANA.

Authentication

Authentication is perfomed via OAuth 2.0 protocol. The Portal application provides mechanisms to authenticate the user, e.g. with username and password or with SAML 2.0 (SSO).

After a successfull authentication the portal creates an OAuth Access Token and returns it to Tax Balance. Tax Balance Web application stores the access token in browser session and appends it to each request to the Tax Balance ressource server (API).

This is a sample request with an authorization header:

GET /api/demo HTTP/1.1
Authorization: Bearer S0VLU0UhIExFQ0tFUiEK

Authorization in Tax Balance

Tax Balance resource server (in other words: API or backend server) performs an authorization for each incoming request. It extracts the user ID from the OAuth access token and calculates whether the request is allowed for the user based on the stored role and permission definition. If this is not the case, an HTTP status code 403 is returned.

Managing user, roles and permissions

The portal application is responsible for managing the users, roles and permissions. It provides a graphical user interface to perform these tasks. Therefore, most of the related data is stored in the portal. However, as of the design of a centralized management for individual permissions of each application (e.g. Tax Balance) and individual constrains when assigning roles to a user, some data are also or exclusively stored in Tax Balance.

Following data is stored in the Portal application and Tax Balance:


PortalTax Balance
Roles

Database table TROLE 

  • Id
  • Name
  • Last modification date
  • Comment

Database table TROLE 

  • Id
  • Creation date
  • Creator
Permissions for role

Database table TROLERIGHTMAPPING 

  • Link from role to permission (only Portal specific permissions)
  • Category
  • Last modification date

Database table TROLE_PERMISSION 

  • Link from role to permission (only Tax Balance specific permissions)
  • Creation date
  • Creator
Role to user assignments

Database table TUSERROLEALLOCATION 

  • Link from user to role (on id bases)
  • Last modification date

Database table TROLE_USER_ASSIGNMENT 

  • Link from user to role
  • Constraint on a unit persisted in Tax Balance (optional)
  • Creation date
  • Creator

The above mentioned data gets distributed to Tax Balance when specific data ingestion occurs in Portal application. This is the case when a portal user performs the following activities:

  • Create or update permission definition for a role
  • Create of update the assignment of a role to a user

The activity is performed when the user hits a button with the label "Save" (in german "Speichern").

  • No labels