Introduction to User Managers

Use this topic to familiarize yourself with user authentication, authorization and labels in K2.

Definitions

The following key terms are used throughout this section:

User Manager: All configurations necessary to associate K2 with an identity store, such as the security provider, security label, authentication provider and role provider.

Security Label: Also called K2 Label, User Label and simply Label, it is the token string that is pre-pended to the user’s identity, for example the ‘K2’ label is used for Active Directory users by default, which appear in the K2 context as K2:[Domain\Username]. The context for the label does not extend beyond the K2 platform. The Security Label identifies specific instances of Authentication Providers and / or Role Providers.

Security Provider: The implementation of an authentication mechanism represented by a set of interfaces for interacting with an identity store and authenticating users located in that store.

Authentication Provider: The mechanism to confirm the identity of a user when they login or interact with services and data sources. User authentication is performed by passing a set of user credentials. Authentication can be integrated or require the use of a prompt or a web-based form.

Role Provider: The mechanism by which users and groups are resolved in K2 from the identity store.

Fully Qualified Name (FQN): The FQN is the user or role value in [Security Label]:[User/Role Name] format used by K2 for authorization such as assigning tasks, interacting with tasks or assigning permissions.

K2 will prepend the security label for the default user manager when an authentication request occurs without a security label.

Available User Managers

Active Directory (Default): requires access to Active Directory domain functional level Windows 2003 or higher to provide authentication and roles. Active Directory (AD) must be installed and available at the time of installation to configure the AD user manager.

SQL: requires access to the SQL user manager database, K2SQLUM by default, to provide authentication and roles. SQL user manager can be configured as a non-default user manager or as the default user manager either during or post installation.

LDAP: requires access to a LDAP-compatible system with protocol version 3 or higher to provide authentication and roles. LDAP user manager can be configured as a non-default user manager.

Custom: requires access to the custom identity store to provide authentication and roles. Custom user manager can be configured as a non-default user manager or as the default user manager post installation.

User Managers
	Active Directory	SQL	LDAP	Custom
Security Label – Default Value	K2	K2SQL	K2LDAP	{Custom}
Can be configured as default during installation?	Yes	Yes	No	No
Can be configured as default post installation?	No	Yes*	No	Yes*
Can be configured as non-default post installation?	No	Yes	Yes	Yes
Can be configured with multiple security labels?	No	Yes	Yes⁺	Yes⁺
* For more information, please refer to Changing the Default User Manager. ⁺ The LDAP User Manager implements two IHostableSecurityProviders .NET types - SourceCode.Security.Providers.LdapProvider.Forms.Ldap and SourceCode.Security.Providers.LdapProvider.Trusted.Ldap - each can only be configured for a single security label. Each Custom User Manager .NET type that implements IHostableSecurityProvider can only be configured for a single security label.

Installing K2

The following default user manager installation scenarios are available out of the box:

Active Directory
SQL

Additional user managers can be added post-installation:

SQL
LDAP
Custom

The installation procedure requires that a User Manager is available during the course of the installation; prompts for user credentials form part of the process and must be validated before the installation can be completed.

Additional user managers can also be used as the default user manager for accessing K2 items, such as Workspace and the designers. However, if you have Active Directory in your environment it is recommended that you keep AD as the default user manager for interacting with K2 from a design time and management perspective.

Only one security label can be registered for each User Manager .NET type that implements IHostableSecurityProvider. See the User Managers table above for more information.

Refresh the User Manager Cache

Any change in the configuration of user managers will require an update of the existing user cache. Download and execute the SQL command against the K2HostServer database.

Copy
UPDATE [K2HostServer].[Identity].[Identity] SET [ExpireOn] = GETDATE() ,[Resolved] = 0 ,[ContainersResolved] = 0 ,[ContainersExpireOn] = GETDATE() ,[MembersResolved] = 0 ,[MembersExpireOn] = GETDATE() GO

Additional Considerations

The K2 Event Bus utilizes MSMQ and Active Directory. Because of this the K2 Event Bus will be unable to function if SQL or a custom user manager is used in place of AD unless a custom Event Recorder is introduced as well. For more information, see How to add a 3rd-party event recorder to the K2 blackpearl Server.
K2 configuration for non-AD users and SharePoint 2010 requires a claims based SharePoint web application. For more information see Claims - based Authentication.
K2 configuration for non-AD users and SharePoint 2007 is not supported.

All Users

K2 does not support a concept of “All Users” for assigning tasks, interacting with tasks or assigning permissions. Built-in or configured groups for the appropriate K2 user manager, for example Domain Users for Active Directory, should be used instead.