role-based access
note
role-based access is supported in the standalone matlab® web app server™ product and not the development version included in matlab compiler™. for details, see .
prerequisites
enable ssl on the server. for more information, see .
enable authentication on the server. for more information, see authentication.
create webapps_app_roles.json
file
enabling role-based access on the server lets you decide which users can author apps and which ones can use them.
matlab web app server supports two roles for role-based access: author and user.
an author can add, delete, and run web apps from matlab web app server. an author sees a manage apps button on the server home page.
a user can only run web apps from the matlab web app server home page. a user sees a diagnostics button on the server home page.
you can use role-based access along with policy-based access to finely determine who can run apps on the server and who can modify them. for details, see policy-based access.
to enable role-based access:
check if ssl is enabled. for more information, see .
check if authentication is enabled. for more information, see authentication.
create a file named
webapps_app_roles.json
and place it in thewebapps_private
folder.the
webapps_private
folder can be found in:operating system folder location windows®
%programdata%\mathworks\webapps\r2023a\config\webapps_private
linux®
/local/mathworks/webapps/r2023a/config/webapps_private
macos
/library/application support/mathworks/webapps/r2023a/config/webapps_private
the json schema for
webapps_app_roles.json
is:{ "version": "1.0.0", "approles": [ { "id": "user", "description":
, "users": { }, "groups": { } }, { "id": "author", "description": , "users": { }, "groups": { } } ] } version: specify the version of the json schema. the default value for r2023a is:
1.0.0
.id: specify the role name. you can specify either
user
orauthor
. only these two roles are supported.description: specify a description for each role. for example:
"description" : "an author can upload, delete, and execute web apps."
users: specify an attribute that uniquely identifies the set of authenticated end users who can assume the role of an author or a user.
the attribute names depend on the type of authentication you are using.
for example, if you are using ldap for authentication, you can fill in the json schema as follows:
in the above schema, once an end-user is authenticated, matlab web app server checks if the authenticated user has"users":{ "email": ["bishop@example.com", "queen@example.com"] }
email
as an attribute, and checks to see if the attribute value (email address in this case) is listed in the schema. when both checks succeed, the end-user will be assigned a role.groups: specify an attribute name and corresponding values that uniquely identify the group of authenticated end users who can assume the role of an author or a user.
the attribute names depend on the type of authentication you are using. using groups lets you assign entire sets of end-users a role at once.
for example, if you are using ldap for authentication, you can fill in the json schema as follows:
in the above schema, once an end-user is authenticated, matlab web app server checks if the authenticated user has"groups": { "memberof": [ "cn=marketing,ou=mail,dc=ldap,dc=example,dc=com", "cn=development,ou=mail,dc=ldap,dc=example,dc=com"] }
memberof
as an attribute, and checks to see if the attribute's values are listed in the schema. when both checks succeed, the end-user will be assigned a role.attributes specified in the schema need to be collective or group attributes.
tip
you do not need to specify both
users
andgroups
in the schema for each role unless that is the only way to obtain a unique set of end users.if you use an attribute in the
users
field in the user role to identify a set of users, you need use the same attribute in theusers
field in the author role to identify a set of users. the same condition applies togroups
as well.
matlab web app server first checks if an authenticated user can assume the role of an author before checking the user role. if checks against both roles fails, the end-user is denied access to the server.
example webapps_app_roles.json
file for ldap authentication
{
"version": "1.0.0",
"approles": [
{
"id": "user",
"description": "a user can only execute web apps.",
"groups": {
"memberof": [
"cn=marketing,ou=mail,dc=ldap,dc=example,dc=com",
"cn=development,ou=mail,dc=ldap,dc=example,dc=com"
]
}
},
{
"id": "author",
"description": "an author can upload, delete, and execute web apps.",
"users": { "email": [
"bishop@example.com",
"queen@example.com"
]
}
}
]
}
example webapps_app_roles.json
file for azure ad authentication
{
"version": "1.0.0",
"approles": [
{
"id": "user",
"description": "a user can only execute web apps.",
"groups": {
"groups": [
"1a23456-ab2c-4444-a123-12345b3a81af",
"2b3456cd-e8ed-4fcf-ac55-6b79b0781eed "
]
}
},
{
"id": "author",
"description": "an author can upload, delete, and execute web apps.",
"users": { "email": [
"bishop@example.com",
"queen@example.com"
]
}
}
]
}
caution
the json schema syntax for webapps_app_roles.json
is
strictly enforced. errors in the schema syntax may result in the server not
starting, or you being denied access to the server when you try to log
in.