User authentication and authorization

User authentication

When an application is set up for use by multiple users through AIMMS PRO, it is usually considered desirable to limit access to the application to particular (groups of) users, make sure that users have access to only those parts of the application that are of interest to them, and can be given or denied the right of access to each others data.

Authorization via AIMMS PRO portal

When publishing an application on a AIMMS PRO server, you can manage access to your application through the AIMMS PRO portal. The AIMMS PRO documentation User Management decribes more details about the setup of users and groups for your application.

Authorization via model

Next to arranging access to your application application-wide through the PRO portal, the PRO system library extends your model with functionality to access user- and group-related information from within your AIMMS application. More, specifically, through the PRO library function

pro::GetCurrentUserInfo

you can retrieve the currently connected PRO user name and the PRO group membership of the currently connected user.

Role-based security

Using the PRO user name and groups discussed above, you can set up your own customized role-based security scheme within your application. You can accomplish this by associating roles within your application with group membership of particular groups defined through the user management facilities in the AIMMS PRO portal. If PRO user management is linked to your Active Directory environmoment, role-based authorization to your application can also be arranged directly through your company’s Active Directory environment.

Example

Assume that ExecutionAllowed is a two-dimensional parameter defined over a set AllApplicationRoles declared in your model, of which the actual set of PRO groups, retrieved via pro::GetCurrentUserInfo, is a subset, and a user-defined set of application-specific ActionTypes. Then the following code illustrates the to allow or forbid a certain statement to be executed in a role-based manner.

if ( exists(appRole | ExecutionAllowed(appRole, 'Solve') ) then
    solve OptimizationModel;
else
    DialogError( "None of your application roles does allow you\n" +
                 "to solve the optimization model" );
endif;

Use in the interface

You can also use parameters defined over AllApplicationRoles to influence the appearance and behavior of the end-user interface. More specifically, the following aspects of an AIMMS end-user interface can be influenced through the nonzero status of (indexed) parameters:

  • the access to a page through the page tree-based navigational controls,

  • the visibility of graphical (data) objects on a page,

  • the read-only status of data in a data object, and

  • the visibility and enabled/disabled status of menu items and buttons.

Note that both the Windows and browser-based AIMMS UIs support such dynamic model-based access controls.