Role-Based Access
Note
Role-based access is supported in the standaloneMATLAB®Web App Server™product and not the development version included inMATLAB Compiler™. For details, seeMATLAB Web App Server Differences.
Note
To use role-based access, you need to:
Enable SSL on the server. For more information, seeEnable SSL.
Enable authentication on the server. For more information, seeAuthentication.
Enabling role-based access on the server lets you decide which users can author apps and which ones can use them.
MATLAB Web App Serversupports two roles for role-based access:AuthorandUser.
AnAuthorcan add, delete, and run web apps fromMATLAB Web App Server. AnAuthorsees aManage Appsbutton on the server home page.
AUsercan only run web apps from theMATLAB Web App Serverhome page. AUsersees aDiagnosticsbutton on the server home page.
You can use role-based access along with policy-based access to finely determine who can run apps on the server and who can modify them. For details, seePolicy-Based Access.
To enable role-based access:
Check if SSL is enabled. For more information, seeEnable SSL.
Check if authentication is enabled. For more information, seeAuthentication.
Create a file named
webapps_app_roles.json
and place it in thewebapps_private
folder.The
webapps_private
folder can be found in:Operating System Folder Location Windows®
%ProgramData%\MathWorks\webapps\R2021b\config\webapps_private
Linux®
/local/MathWorks/webapps/R2021b/config/webapps_private
macOS
/Library/Application Support/MathWorks/webapps/R2021b/config/webapps_private
The JSON schema for
webapps_app_roles.json
is:{“版本”:“1.0.0”,“appRoles”:[{" id ": "用户", "description":
, "users": { }, "groups": { } }, { "id": "Author", "description": , "users": { }, "groups": { } } ] } version: Specify the version of the JSON schema. The default value forR2021bis:
1.0.0
.id: Specify the role name. You can specify either
User
orAuthor
. Only these two roles are supported.description: Specify a description for each role. For example:
"description" : "An Author can upload, delete, and execute web apps."
users: Specify an attribute that uniquely identifies the set of authenticated end users who can assume the role of anAuthoror aUser.
The attribute names depend on the type of authentication you are using.
For example, if you are using LDAP for authentication, you can fill in the JSON schema as follows:
"users":{ "email": ["bishop@myboston.com", "queen@myboston.com"] }
email
as an attribute, and checks to see if the attribute value (email address in this case) is listed in the schema. When both checks succeed, the end-user will be assigned a role.groups: Specify an attribute name and corresponding values that uniquely identify the group of authenticated end users who can assume the role of anAuthoror aUser.
The attribute names depend on the type of authentication you are using. Usinggroupslets you assign entire sets of end-users a role at once.
For example, if you are using LDAP for authentication, you can fill in the JSON schema as follows:
"groups": { "memberOf": [ "CN=Marketing,OU=Mail,DC=ldap,DC=myboston,DC=com", "CN=Development,OU=Mail,DC=ldap,DC=myboston,DC=com"] }
memberOf
as an attribute, and checks to see if the attribute's values are listed in the schema. When both checks succeed, the end-user will be assigned a role.Attributes specified in the schema need to be collective or group attributes.
Tip
You do not need to specify both
users
andgroups
in the schema for each role unless that is the only way to obtain a unique set of end users.If you use an attribute in the
users
field in theUserrole to identify a set of users, you need use the same attribute in theusers
field in theAuthorrole to identify a set of users. The same condition applies togroups
as well.
MATLAB Web App Serverfirst checks if an authenticated user can assume the role of anAuthorbefore checking theUserrole. If checks against both roles fails, the end-user is denied access to the server.
Examplewebapps_app_roles.json
申请LDAP身份验证
{“版本”:“1.0.0”,“appRoles”:[{" id ": "用户", "description": "A User can only execute web apps.", "groups": { "memberOf": [ "CN=Marketing,OU=Mail,DC=ldap,DC=myboston,DC=com", "CN=Development,OU=Mail,DC=ldap,DC=myboston,DC=com" ] } }, { "id": "Author", "description": "An Author can upload, delete, and execute web apps.", "users": { "email": [ "bishop@myboston.com", "queen@myboston.com" ] } } ] }
Examplewebapps_app_roles.json
File forAzureAD Authentication
{“版本”:“1.0.0”,“appRoles”:[{" id ": "用户", "description": "A User can only execute web apps.", "groups": { "groups": [ "1a23456-ab2c-4444-a123-12345b3a81af", "2b3456cd-e8ed-4fcf-ac55-6b79b0781eed " ] } }, { "id": "Author", "description": "An Author can upload, delete, and execute web apps.", "users": { "upn": [ "bishop@myboston.com", "queen@myboston.com" ] } } ] }
Caution
The JSON schema syntax forwebapps_app_roles.json
is strictly enforced. Errors in the schema syntax may result in the server not starting, or you being denied access to the server when you try to log in.