Role-Based Access

Note

Role-based access is supported in the standaloneMATLAB^®Web App Server™product and not the development version included inMATLAB Compiler™. For details, seeMATLAB Web App Server Differences.

Note

To use role-based access, you need to:

Enable SSL on the server. For more information, seeEnable SSL.
Enable authentication on the server. For more information, seeAuthentication.

Enabling role-based access on the server lets you decide which users can author apps and which ones can use them.

MATLAB Web App Serversupports two roles for role-based access:AuthorandUser.

AnAuthorcan add, delete, and run web apps fromMATLAB Web App Server. AnAuthorsees aManage Appsbutton on the server home page.
AUsercan only run web apps from theMATLAB Web App Serverhome page. AUsersees aDiagnosticsbutton on the server home page.

You can use role-based access along with policy-based access to finely determine who can run apps on the server and who can modify them. For details, seePolicy-Based Access.

To enable role-based access:

Check if SSL is enabled. For more information, seeEnable SSL.
Check if authentication is enabled. For more information, seeAuthentication.

Create a file namedwebapps_app_roles.jsonand place it in thewebapps_privatefolder.

Thewebapps_privatefolder can be found in:

Operating System	Folder Location
Windows^®	`%ProgramData%\MathWorks\webapps\R2021b\config\webapps_private`
Linux^®	`/local/MathWorks/webapps/R2021b/config/webapps_private`
macOS	`/Library/Application Support/MathWorks/webapps/R2021b/config/webapps_private`

The JSON schema forwebapps_app_roles.jsonis:

{“版本”:“1.0.0”,“appRoles”:[{" id ": "用户", "description": , "users": {  }, "groups": {  } }, { "id": "Author", "description": , "users": {  }, "groups": {  } } ] }

version: Specify the version of the JSON schema. The default value forR2021bis:1.0.0.
id: Specify the role name. You can specify eitherUserorAuthor. Only these two roles are supported.

description: Specify a description for each role. For example:

"description" : "An Author can upload, delete, and execute web apps."

users: Specify an attribute that uniquely identifies the set of authenticated end users who can assume the role of anAuthoror aUser.
The attribute names depend on the type of authentication you are using.
For example, if you are using LDAP for authentication, you can fill in the JSON schema as follows:
```
"users":{ "email": ["bishop@myboston.com", "queen@myboston.com"] }
```
In the above schema, once an end-user is authenticated,MATLAB Web App Serverchecks if the authenticated user hasemailas an attribute, and checks to see if the attribute value (email address in this case) is listed in the schema. When both checks succeed, the end-user will be assigned a role.
groups: Specify an attribute name and corresponding values that uniquely identify the group of authenticated end users who can assume the role of anAuthoror aUser.
The attribute names depend on the type of authentication you are using. Usinggroupslets you assign entire sets of end-users a role at once.
For example, if you are using LDAP for authentication, you can fill in the JSON schema as follows:
```
"groups": { "memberOf": [ "CN=Marketing,OU=Mail,DC=ldap,DC=myboston,DC=com", "CN=Development,OU=Mail,DC=ldap,DC=myboston,DC=com"] }
```
In the above schema, once an end-user is authenticated,MATLAB Web App Serverchecks if the authenticated user hasmemberOfas an attribute, and checks to see if the attribute's values are listed in the schema. When both checks succeed, the end-user will be assigned a role.
Attributes specified in the schema need to be collective or group attributes.

Tip

You do not need to specify bothusersandgroupsin the schema for each role unless that is the only way to obtain a unique set of end users.
If you use an attribute in theusersfield in theUserrole to identify a set of users, you need use the same attribute in theusersfield in theAuthorrole to identify a set of users. The same condition applies togroupsas well.

MATLAB Web App Serverfirst checks if an authenticated user can assume the role of anAuthorbefore checking theUserrole. If checks against both roles fails, the end-user is denied access to the server.

Example`webapps_app_roles.json`申请LDAP身份验证

{“版本”:“1.0.0”,“appRoles”:[{" id ": "用户", "description": "A User can only execute web apps.", "groups": { "memberOf": [ "CN=Marketing,OU=Mail,DC=ldap,DC=myboston,DC=com", "CN=Development,OU=Mail,DC=ldap,DC=myboston,DC=com" ] } }, { "id": "Author", "description": "An Author can upload, delete, and execute web apps.", "users": { "email": [ "bishop@myboston.com", "queen@myboston.com" ] } } ] }

Example`webapps_app_roles.json`File forAzureAD Authentication

{“版本”:“1.0.0”,“appRoles”:[{" id ": "用户", "description": "A User can only execute web apps.", "groups": { "groups": [ "1a23456-ab2c-4444-a123-12345b3a81af", "2b3456cd-e8ed-4fcf-ac55-6b79b0781eed " ] } }, { "id": "Author", "description": "An Author can upload, delete, and execute web apps.", "users": { "upn": [ "bishop@myboston.com", "queen@myboston.com" ] } } ] }

Caution

The JSON schema syntax forwebapps_app_roles.jsonis strictly enforced. Errors in the schema syntax may result in the server not starting, or you being denied access to the server when you try to log in.