Image

Sign upLogin

Settings

Change Password

Logout

GeneXus Access Manager (GAM)

Table of contents

Built-in Security Module
Authentication
- Authentication Scenarios
- Native Mobile Authentication
- Authentication flow with an external OAuth2.0 provider
- Authentication Types
  - Local
  - Built-in
  - OAuth 2.0
    - How to configure
    - Samples
  - OpenID Connect
    - How to configure
    - Samples
      - HowTo: Authenticate to Azure AD using OpenID Connect with GAM
      - HowTo: Authenticate to Google using OpenID Connect with GAM
  - SAML 2.0
    - How to configure
    - Generating certificates
    - Samples
      - SAP
      - Agesic
      - Okta
      - Azure
  - OTP - One Time Password
    - How to configure
    - How to translate OTP notifications
  - 2FA - Two Factor Authentication
    - How to configure
      - Two Factor Authentication
      - Two factor Authentication for mobile
  - External
  - Custom
    - Samples
      - LDAP
      - Windows
- Impersonation
- SSO
Authorization
- Authorization Scenarios
  - Roles
    - Main Role of a user
    - HowTo: Manage Roles through external authentication programs
  - Permissions
Users
Repository
Sessions
Security Policies
Events subscription
Deployment
Services
Advanced
Compatibility
Troubleshooting
Media
- GeneXus Access Manager in the media
Hardening of GeneXus Systems and Deployments
- Good practices for secure development
- Configuration for secure deployment

GAM - Security Policies

This documentation is valid for:
GeneXus 18 Help

GAM Security Policies define access control rules for Users and Roles to ensure secure interaction with Applications. These policies govern sessions, tokens, and password requirements.

GAM security policies can be configured in two ways:

Through the GAM Web Backoffice
Programmatically via the GAM API.

When using the GAM Web Backoffice, you can add or update a Security Policy. For detailed steps, see GAM Web Backoffice - Security Policies section.

At runtime, the applicable security policy for a user is determined according to the following precedence:

How GAM determines which Security Policy applies to a User

1. Security policy assigned to the user.

Each GAM user can have one security policy assigned to them or none at all.

To assign or update a user's security policy in the GAM Web Backoffice, go to the Users section and edit the user properties (as shown in Figure 2).

Figure 2.

Programmatically, you can retrieve a user's security policy with the SecurityPolicyId property of the GAMUser object.

&User.Load(&UserId) //&User is GAMUser object, &UserId is GAMGUID data type
&SecurityPolicyId   = &User.SecurityPolicyId //&SecurityPolicyId is GAMKeyNumShort data type.

2. If the user has no associated Security Policy, the one assigned to their Main Role is used.

If the user doesn't have a security policy assigned, the policy applied at runtime will be the one associated with their Main Role. See GAM Main Role of a user for more information.

To check or update this in the GAM Web Backoffice, go to the Users section, select the user, and review their main role (only one role can be set as Main Role at a time).

Figure 3. Main Role of the User, in this example it's "Role1".

By editing the role's properties, you can see the security policy of the role (which can be "none").

Figure 4. Security Policy assigned to a role

You can also retrieve the Security Policy of the role with the SecurityPolicyId property of the GAMRole object.

&Role.Load(&Id)//&Role is GAMRole, &Id is GAMKeyNumLong
&SecPolId = &Role.SecurityPolicyId //&SecPolId is GAMKeyNumShort data type

3. If none of the above, but the user has other roles assigned, GAM applies the Security Policy of the Default Repository Role.

4. If none of the above, the default Security Policy of the Repository is used.

If the user has no security policy assigned, the security policy applied is the Default Security Policy of the Repository.

Figure 5. Default Security Policy of the Repository

The DefaultSecurityPolicyId property of the GAMRepository object indicates the default security policy of the repository.

&Repository.Load(&Id) //&Repository is GAMRepository, &Id is GAMKeyNumLong data type
&DefaultSecurityPolicyId  = &Repository.DefaultSecurityPolicyId //&DefaultSecurityPolicyId is GAMKeyNumShort data type

Note: When setting a value higher than 0 for the property MinimumSpecialCharactersPassword, the following regular expression is used:

&UserPassword.Matches(!"[^\d\w]")

Which means:

\w [a-zA-Z0-9_] (literal or digit or underscore)
\d [0-9] (digit)
^ not

So, the regular expression means all that is NOT \d\w