Portal application

Tax Balance heavily relies on the Portal application provided by AMANA.

Authentication

Authentication is performed via OAuth 2.0 protocol. The Portal application provides mechanisms to authenticate the user, e.g., with username and password or with SAML 2.0 (SSO).

After a successful authentication, the portal creates an OAuth 2.0 access tokens in JSON Web Token (JWT) format and returns it to Tax Balance. Tax Balance Web application stores the access token in browser session and appends it to each request to the Tax Balance resource server (API).

This is a sample request with an authorization header:

GET /api/demo HTTP/1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Authorization in Tax Balance

Tax Balance resource server (in other words: API or backend server) performs an authorization for each incoming request. It extracts the user ID from the OAuth access token and calculates whether the request is allowed for the user based on the stored role and permission definition. If this is not the case, an HTTP status code 403 is returned.

Managing user, roles and permissions

The portal application is responsible for managing the users, roles and permissions. It provides a graphical user interface to perform these tasks. Therefore, most of the related data is stored in the portal. However, as of the design of a centralized management for individual permissions of each application (e.g., Tax Balance) and individual constrains when assigning roles to a user, some data are also or exclusively stored in Tax Balance.

Following data is stored in the Portal application and Tax Balance:



Portal

Tax Balance



Portal

Tax Balance

Roles

Database table TROLE 

  • Id

  • Name

  • Last modification date

  • Comment

Database table TROLE 

  • Id

  • Creation date

  • Creator

Permissions for role

Database table TROLERIGHTMAPPING 

  • Link from role to permission (only Portal specific permissions)

  • Category

  • Last modification date

Database table TROLE_PERMISSION 

  • Link from role to permission (only Tax Balance specific permissions)

  • Creation date

  • Creator

Role to user assignments

Database table TUSERROLEALLOCATION 

  • Link from user to role (on id bases)

  • Last modification date

Database table TROLE_USER_ASSIGNMENT 

  • Link from user to role

  • Constraint on a unit persisted in Tax Balance (optional)

  • Creation date

  • Creator

The above-mentioned data gets distributed to Tax Balance when specific data ingestion occurs in Portal application. This is the case when a portal user performs the following activities:

  • Create or update permission definition for a role

  • Create of update the assignment of a role to a user

The activity is performed when the user hits a button with the label "Save" (in german "Speichern").