Authentication and Authorization Sequence

When a user tries to log in to an Iotellect Server using a certain username and password the following authentication process is applied:

1. First, the server searches for a local user account associated with the provided username.

2. If a local account is found, the server checks the Use External Authentication flag condition in the user account.

  • 2.1 If the Use External Authentication flag is disabled, the user is authenticated or denied access based on the provided password compared against the local account.

  • 2.2 If the Use External Authentication flag is enabled, an attempt to authenticate the user through an external authentication plugin is then performed.

3. If a local account is not found, an attempt to authenticate the user through an external authentication plugin is performed:

  • 3.1 If External Authentication is disabled in the global server configuration, the user is denied.

  • 3.2 If External Authentication is enabled and configured to use an external authentication plugin, the authentication request is forwarded to the plugin. The user is authenticated or denied accesses based on the plugin response.

4. Once the user is authenticated, the properties of the global server setting User Connection Mode are evaluated, which may allow access to the account, deny access to the account, or cause other sessions to be logged out.

5. The Account Enabled, Activation Time, Expiration Time, and Connection Restriction Expressions properties of the individual user’s Account Settings are evaluated to determine if access should be denied to the account.

6. If access is allowed to the account, the permission authorization process starts:

  • 6.1 A user account that is authenticated via an External Authentication plugin is associated with a local account on the platform. If this local account has the Use External Authentication flag disabled, the user is denied.

  • 6.2 If the Inherit Permissions flag is disabled in the local account settings, the user is authorized using its own Permissions table.

  • 6.3 If the Inherit Permissions flag is enabled in the account settings, the user is authorized using the Permissions table of a role-based user account specified by the Inherit Permissions From setting.

Was this page helpful?