Using Proxy Access Validation
This section discusses how to:
Validate a proxy access in real time.
Validate a proxy access using a batch process.
The Proxy Access Validation (PAV) logic evaluates different conditions that determine whether a proxy should have access to a delegated component. The conditions are defined for each of the delegation transactions in the Delegation Transaction Setup component.
The PAV engine uses any one of the following conditions to determine whether to revoke a proxy’s access:
Never. Proxies will never have their access to the transaction revoked.
Transaction status is set to Inactive.
Delegator no longer has the security access to delegate the transaction.
If any one of the above conditions is met, the PAV logic revokes the proxy access to the transaction. It will set the transaction status to Ended (or marked in the record as Revoked) and provide a reason that depends on which condition is met. The process could also result in the removal of the security role tied to the transaction from the proxy’s user profile. Removing the security access from the proxy’s user profile depends if another delegator has delegated the same transaction to the proxy. In that case the proxy’s user profile is not updated because the proxy will need to continue to have access to the components to access other delegators’ data. For example, Mary is the mother of Jane and Luke. Both are students in your institution and they both delegated access their mother to their View My Class Schedule component. If this transaction is set to revoke the proxy access if the delegator no longer has access to delegate the transaction and Jane lost her access to a component needed to delegate the View My Class Schedule transaction, then Mary will see her access to that transaction being revoked for Jane, but still granted for Luke. In this case PAV will not delete the role tied to the View My Class Schedule transaction from Mary’s user profile. Mary still needs to keep her access to view Luke’s data.
For information on how to set up a transaction with various revoke conditions, see Configuring Delegation Transactions.
To make sure the proxy has the proper access to the delegated transactions at all times, the PAV engine is triggered two different ways:
Real-time processing occurs just in time, at the time a delegated access actor (a proxy, a delegator or an administrator) accesses a component configured for PAV. Running the process in real time ensures that proxies can only access what they are allowed to access, and that delegators and administrators see an accurate picture of the delegated transactions. There is no need to wait for the batch process to run. It also ensures that if the batch process fails or was not scheduled, the security check is enforced.
Batch processing allows the PAV engine to validate multiple transactions, delegators and proxy relationships at the same time. Proxy access validation is performed ahead of time. The batch process is an application engine process called SCC_DA_PAV and can be triggered from . It uses the same validation logic used in real-time processing. In addition, during a batch process extended database updates and notification framework calls are executed. For example, roles can be added to or removed from proxy user profiles, and email notifications are sent.
Real Time Proxy Access Validation
In real-time processing, the PAV engine validates whether a proxy should still have access to a component at the time the:
Proxy accesses a delegated component. The PAV engine evaluates if the proxy has the security necessary to access the desired component. The PAV is triggered from the delegated component generic search record SCC_DA_SRCH_VW. For information on how to use SCC_DA_SRCH_VW, see Step 5: Setting Up Components for Delegated Access.
The search record triggers the PAV engine and retrieves the user ID of the proxy that is logged in as well as the transaction code that is related to the component that the proxy is trying to access. The transaction code that is retrieved helps the process evaluate whether the revoke conditions for the transaction are met, and then returns in the search record only the names of the delegators for which the proxy still has access.
For example, Mary is the mother of Jane and Luke. Both are students in your institution and they both granted their mother access to their Emergency Contacts component. If this transaction is set to revoke the proxy access if the delegator no longer has access to delegate the transaction and Jane does not have access to a component needed to delegate this transaction, then the PAV real-time logic will revoke Mary’s access to Jane’s data, that is, Mary will not be able to access Jane’s data. The search record to access the Emergency Contacts component will return only the name of Luke.
Another example would be if the Emergency Contacts transaction is set up to revoke proxy access when the transaction is made inactive. Let’s pretend that this transaction has been inactivated and Mary attempts to access it. Mary navigates to the component and through the search record. The PAV process is triggered and evaluates the situation, and then revokes Mary’s access to the component for all the delegators. Mary will see a search record to access the Emergency Contacts component, but it will return ‘No matching values were found’. Mary will not be able to access any of her delegators since she lost access because the transaction has been set to ‘Inactive’.
Delegator accesses the Share My Information component. The PAV engine evaluates all the proxies created by the delegator to determine whether any of the proxies meet any one of the revoke conditions selected in the transaction codes they have been delegated. The PAV engine is triggered from the SS_CC_DA_SHAREINFO component. The Share My Information – Summary page will only display the proxies that have current access to the delegated transactions.
Administrator accesses the Review Shared Information component. The PAV engine evaluates all the proxies created by the selected delegator to determine whether or not any of the proxies meet any one of the revoke conditions selected in the transaction codes they have been delegated. The PAV is triggered from the SCC_DA_ADMIN component. The Review Shared Information – Summary page will only display the proxies that have current access to the delegated transactions.
When the PAV engine determines that a proxy’s access should be revoked from a certain transaction, it performs the following updates on the database:
The transaction status is changed from ‘Access Granted’ (AG) to ‘Revoked’ (RV). This value is stored in SCC_DA_PRXY_TXN.SCC_DA_TXN_STATUS record field.
The Revoke Reason field is populated with the reason based on why the access was revoked.
The transaction record is flagged so that it can be picked up by the PAV batch process, and the Notifications framework can send an email notification to the proxy and its user profile can be properly updated. In the SCC_DA_PRXY_TXN record, the SCC_DA_RLTM_UPD field is set to ‘Y’.
When PAV is processed in real time, an email notification is not sent to the proxy and the proxy’s user profile is not updated. Instead, these actions are performed later by the PAV batch process.
Batch Proxy Access Validation
Instead of waiting for a proxy, a delegator, or an administrator to access a component, use the PAV batch process to evaluate multiple transactions, or delegator and proxy relationships to validate a proxy’s access to a transaction.
When the PAV process determines that a proxy’s access should be revoked from a certain transaction, it performs the following updates on the database.
The transaction status is changed from ‘Access Granted’ (AG) to ‘Revoked’ (RV). This value is stored in SCC_DA_PRXY_TXN.SCC_DA_TXN_STATUS.
The Revoke Reason field is populated with the reason based on why the access was revoked.
The Notifications framework is triggered to send an email notification to the proxy to inform him about revoked transactions. The DA_PROXY_REVOKE generic template is used.
If no other delegator gives the proxy access to the same transaction code, the proxy’s user profile is updated by removing the security role tied to the transaction code to which the proxy no longer has access.
If a transaction record was flagged by the PAV real-time process (the field SCC_DA_RLTM_UPD is set to ‘Y’ in the SCC_DA_PRXY_TXN record), the PAV batch process completes the full validation process by triggering the Notifications framework to send an email notification to the proxy to let him know about the revoked transactions. The batch process also determines if the proxy’s user profile should be de-provisioned from the role listed in the delegated transaction. Once terminated, the PAV batch logic sets the SCC_DA_RLTM_UPD field to ‘N’ so the transaction is not processed the next time the batch process is run.
|
Page Name |
Definition Name |
Navigation |
Usage |
|---|---|---|---|
|
Proxy Access Validation |
SCC_DA_PAV_RUN_CNT |
|
Use a batch process to validate multiple transactions, delegator and proxy relationships in order to revoke access to delegated transactions. |
The Proxy Access Validation process validates proxy access in real time when the:
Proxy accesses a delegated component.
Delegator accesses the Share My Information component.
Administrator accesses the Review Shared Information component.
Access the Proxy Access Validation page ().
Image: Proxy Access Validation page
This example illustrates the fields and controls on the Proxy Access Validation page. You can find definitions for the fields and controls later on this page.
The batch process evaluates whether the Transaction Status is set to ‘Access Granted’. It also evaluates the transactions that are flagged as Real-time Updates by the PAV real-time process. This is when the SCC_DA_RLTM_UPD field is set to ‘Y’ in the SCC_DA_PRXY_TXN record.
When you run the batch process against a delegator or specific transactions, the PAV process evaluates only the transactions for the selected delegator or specified transaction codes. This means that transactions that have been updated during PAV real-time processing but do not belong to the selected delegator or transaction codes will not be processed.
Delegator IDs or Transactions Selection
Use this group box to select the transactions or delegator EMPLIDs to process.
|
Field or Control |
Definition |
|---|---|
| Selection |
Select:
|
| Delegator ID |
Select a delegator ID for which to run the batch process. The field prompt only returns EMPLIDs for existing delegators. This field appears only when you select One Delegator from the Selection list. |
| All Transaction Codes or Specific Transaction Codes |
Select to run the batch process for one or specific transaction codes. When one option is selected, the other one is disabled. When you select Specific Transaction Codes, the Delegated Transaction Selection grid appears. |
Delegated Transaction Selection
Use this grid to add one or more transaction codes for which to run the batch process.
Revoke Proxy Access Options
Use this group box to override the transaction settings that you set up in the Delegation Transaction setup page.
Note: The option ‘Never’ is not applicable for PAV when run in batch.