GAM - Users

This documentation is valid for:
GeneXus 18 Help
GeneXus 17 Help
GeneXus 16 Help

GAM users are stored in the User table of the GeneXus Access Manager (GAM) Database.

The credential information stored in the User table depends on the Authentication Types used in GAM:

For Local Authentication Type, user credentials are stored in the GAM User table. This is the only case in which they are accessible by GAM.
For External Authentication Type, Twitter Authentication Type, Google Authentication Type or Facebook Authentication Type, the user credentials belong to the external identity providers.

Depending on the application model design, user information may reside entirely in the GAM User table, or in another table within the application. In that case, you must map the information so that GAM can properly enforce security, even if user data is stored outside the GAM tables.
See HowTo: Map Application Users to GAM Users for details.

User identity

Each user is identified by a GUID in the GAM User Table. Additionally, the combination of "User Namespace (UserNameSpace) \ Authentication Type (UserAuthTypeName) \User Name (UserName)" forms a Candidate Key.

When a user is created, they are assigned the Repository Namespace of the repository in which they are defined.

Users can also be referenced by other properties such as their name, login, or nickname. For more information, see: HowTo: Reference GAM users using the GAM API.

Adding users

Although the Database may support case sensitivity, GAM does not support case sensitivity for usernames. If you try to insert a user named "John" (capitalized) while another user with the username "john" already exists, an error will be returned: Username already exists. (GAM49).

Deleting users

You can logically delete a user using the Delete method:

&GAMUser.Load(&GAMGUID)
    if &GAMUser.Success()
        &GAMUser.delete()
    endif
endif

To restore (undelete) a user, use the corresponding method:

&GAMUser.Load(&GAMGUID)
    if &GAMUser.Success()
        &isOK = &GAMUser.UnDelete(&GAMErrors)
        if &IsOK
          commit
        else
           //Display GAM Errors
       endif
endif

Another option is physical deletion. In this case, the user and all related data are permanently removed from the database:

&GAMUser.Load(&GAMGUID)
     if &GAMUser.Success()
        &isOK = &GAMUser.PhysicalDelete(&GAMErrors)
           if &isOK
             commit
           else
              //Process GAM Errors
           endif
     endif

For more information, see: How to revoke tokens from external IDPs.

GAMUser external object

The GAMUser external object, which is imported when GAM is activated or updated, is used to manage GAM Users in the application.

It is part of the GAM API and allows handling user properties and performing different operations.

For examples of how to use the GAM API to manage user relations, refer to the following links:

See the GAM - Examples distributed, in particular the GAMExampleWWUsers and GAMExampleEntryUser objects to get more examples.

User relation to Roles, Repository and Permissions

A User is a strong entity, uniquely identified by a GUID (used as the Primary Key).
Considering that GAM can include more than one repository (see Multiple Repositories Scenarios), a user can be enabled in multiple repositories, as long as the user's namespace matches the Repository Namespace where they are enabled. See Users enabled or disabled in the GAM Repository.
Users are associated with Roles in a Repository (a user can have multiple Roles per Repository), following the Role Based Access Control (RBAC) approach.
Additionally, users can also be directly related to Permissions.

User properties

The User table structure allows storing UserFirstName, UserLastName, UserBirthday, UserGender, UserPhone, etc. If you need to store other information in addition to the information provided by the User table structure, you can extend the User table properties using an OAV-based approach. See Extensibility of GAM entity properties and HowTo: GAM User table extensibility - multivalued attributes.

GAM Initialization and admin user

When GAM is activated for the first time (Enable Integrated Security property is set to TRUE), the user "admin" is created for prototyping purposes. You can login using the "admin" user in the GAM Backoffice in order to start working, and then create new users for your application. See GAM - Getting Started for more details.