question

Upvotes
Accepted
5 0 0 2

OpenDACS Authorization Caching

Hello,

I'm using OpenDACS for end-user authentication and permissions check with CBE.
Our application restarts everyday, and we are considering caching the result of the permissions check made when the user logged in.
So when we check the permissions of the user everytime we need to refresh the live data, we don't call the checkSubscription again.
First, I would like to know if this is a valid solution?
Also, I've read that the OpenDACS makes it's own caching. Does this mean that it's not necessary or give any advantage for us to do our own caching?

Thank you,

#technologyDACSopen-dacspermissioningcaching
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
Accepted
81.1k 264 53 76

@jose.cruz

Thank you for reaching out to us.

You can call the AuthorizationAgent::getPeToSubServiceList() method to look up within the Refinitiv Real-Time Data Access Control System, the PE to subservice authorization values that were assigned to the referred to service.

Then, you can call the the AuthorizationAgent::getUserSubServiceList() method to look up within the Refinitiv Real-Time Data Access Control System, the subservice authorization values, known as AIS list, that were assigned to the referred to user based on the supplied handle.

Next, you can develop an application logic to perform CBE permissions checks based on those information.

However, OpenDACS API also generates the DACS usage files used by DACS to generate DACS reports for auditing. Therefore, if you don't use OpenDACS API to check permissions, DACS will not generate the reports for auditing. You may need to contact your DACS administrator or LSEG account team to verify this kind of usage.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Upvotes
5 0 0 2

Thank you for your answer.

I'm not using the getPeToSubServiceList nor getUserSubServiceList, my CBE permissions check is being based on the tutorial provided: I create the lock and use CheckSubscription.
But what I was going to do is after I check the permissions, I would cache the result so the application doesn't need to check it everytime I refresh the live data.
Is this a valid solution? And does it give me any advantage, since I've read that OpenDacs does it's own caching?

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

@jose.cruz

Okay. You are caching the results so the results are valid as long as the permissions for that user are changed. Technically, it is okay.

However, I am not sure about the auditing process or DACS reports. Please contact your DACS administrator or LSEG account team to verify this kind of usage.

Upvotes
5 0 0 2

When you say auditing process, You mean the DACS auditing the user log in?
Because the user would remain logged in I believe, does DACS audits the permission checks as well? Is that what I need to find out?
Regarding the OpenDACS caching, do you know if it has internal caching already?

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

@jose.cruz

Sorry, I can't answer questions regarding the auditing process. Please contact your DACS administrator or LSEG account team to answer those questions.

If I remembered correctly, OpenDACS API also have internal cache for DACS user profiles. However, to confirm it, you need to contact the API support team directly via Contact Premium Support.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.