Relay User

The relay user is a concept used to transform a user session in one grid to another grid using the relay connection. Relay users are configured in the User Configuration part of the Security UI of the answering grid. The relay user ID is associated with a relay channel ID from the calling grid. When a relay call comes from a calling grid with a particular relay channel ID, it will be mapped to a local user.

A local user may have multiple relay IDs if there are multiple relay channels. It is not possible to have more than one relay ID associated to a local ID for the same relay channel ID.

If relay proxy calls flow in both directions between two relay grids, relay users must be defined in both grids.

Relay IDs are configured in the Relay Communications part of the Grid Management UI.

Relay user roles

You can assign raw roles to a relay user in the Relay ID Mappings part of the Grid Management UI.

When a proxy call comes via the relay channel, any such configured raw roles are mapped using the standard grid user and role mapping functionality. The raw roles will not be automatically mapped, so even if "grid-admin" is assigned as a raw role, the user will not get a session with the "grid-admin" role unless there is a role mapping configured. For more information about setting up role mappings, see the "Authorization" section.

Relay user example

In this example there are two grids, CallingGrid and AnsweringGrid, which have a relay channel configured between them.

The AnsweringGrid has an application called demoapp with a session-annotated proxy method that is called on behalf of a user in CallingGrid. The role required to access the method is "demoapp/app-user".

The user’s local username in CallingGrid is "bob@corp.com".

In AnsweringGrid, the relay user "bob@corp.com" is mapped to the local user "billybob" when calling from the CallingGrid’s relay channel ID. The user "billybob" has also been given the raw role "demoapp-user" when accessing from the CallingGrid relay channel. For more information on how to perform these configurations, see Relay User Configuration.

The user and role mapping utility in the Grid Configuration Manager has been used to map the "demoapp-user" raw role to the "demoapp/app-user" grid application role.

When "bob@corp.com" accesses the proxy client for demoapp in CallingGrid, the call is made over the relay channel. In the AnsweringGrid, the user is resolved to "billybob" with the raw role "demoapp-user". Because of the role mapping, "billybob" gets the "demoapp/app-user" role, and finally gets access to the proxy method in demoapp.