Account funneling

  • 2 November 2021
  • 0 replies

Userlevel 1
Badge +2

In USoft web solutions, in Production, authentication is typically through account funneling. End users are registered and authenticated by USoft: they are funneling users. They access the database indirectly through a shared RDBMS account referred to as funnel account.

Account funneling has 2 distinct purposes:

  • Enhanced security. Web users do not connect to the database directly. It is much harder to hack the application by SQL injection strategies.
  • Ease of administration. DBAs need to grant and facilitate only a single RDBMS user.

In USoft Authorizer, the funnel user has Account Type = Funnel and Validation Agent = RDBMS. The funneling users have Account Type = Funneling and a Validation Agent other than RDBMS.

USoft Authorizer prevents users with Account Type = Funnel from connecting with a Rules Engine through a Rules Service or other web-based service.

This is why you should set Account Type = Funnel for the funnel user who accesses the database, and Account Type = Funneling for runtime end users.

Account funneling is applied to USoft URL-based applications built with Web Designer and Service Definer. Rules Engine requests are handled by a Rules Service, which is a server process and not, as in Client/Server, a user process.

Account funneling may also be applied to USoft C/S applications, in order to gain advantage of other Validation Agents such as the operating system:

  • First connect the C/S application to the RDBMS using the funnel account.
  • Now call the RulesEngine.SetUser() method to switch to a funneling account. Web applications implicitly call the SetUser() method to tell the Rules Engine which user rights apply.
  • The user credentials specified in the setuser method are validated by the Validation Agent that has been specified for that user in the USoft Authorizer.
  • If this call is successful, the Rules Engine will continue on behalf of the funneling account that was passed in the SetUser() request.

Summary: Account Type

Here are possible settings for Account Type and associated settings for Validation Agent:

Account Type Description Validation Agent
RDBMS User corresponds to an RDBMS user and accesses database tables directly, in schemes other than account funneling. RDBMS
Funnel User corresponds to an RDBMS user and accesses database tables directly on behalf of Funneling users. RDBMS
Funneling User is shielded from direct database access. Database access is via the Funnel user who configured the service (eg., Rules Service) or API. Intended for end users connecting to Rules Services, REST APIs and other web services. (Other)


0 replies

Be the first to reply!