Skip to content
Architecture > Authentication

Custom Entitlements


When a user attempts to access AMI, first it's necessary to validate the user should be granted access, through a valid user name and password. If the user should be granted, then certain attributes may need to be associated with the user that AMI can use to dictate fine-grained access.

There are two different entry points into AMI, each of which can have their own instance of an authentication adapter:

  • Frontend Web Interface - When accessing AMI through a browser, first the user must supply a user name and password via the html login page (see property name for front end web access)
  • Backend Command line interface - When accessing AMI's in-memory database using the command line interface, first the user must execute the login command, which in turn calls an instance of this plugin (see property name for backend command line access)

AMI Predefined Attributes

Attribute Description
ISADMIN If true, the user will be logged into the website with admin rights
ISDEV If true, the user will be logged into the website with developer rights
DEFAULT_LAYOUT If set, this will be the default layout loaded from the cloud directory on login
LAYOUTS A comma delimited list of regular expressions for layouts that are available
ami_layout_shared If set, this will be the default layout loaded from the shared directory on login. This has been deprecated, use DEFAULT_LAYOUT
amivar_some_varname A variable named user.some_varname of type string is added to the user's session. This has been deprecated, use amiscript.variable
amiscript.variable.some_varname A variable named varname of the supplied type is added to the user's session
AMIDB_PERMISSIONS A comma delimited combination of READ,WRITE,ALTER and EXECUTE which controls permissions for the user when logging in via jdbc or db command line

Java interface



ami.auth.plugin.class=fully_qualified_class_name # for Web access
ami.db.auth.plugin.class=fully_qualified_class_name # for Center access


Java Code:

package com.demo;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;

import com.f1.ami.web.auth.AmiAuthAttribute;
import com.f1.ami.web.auth.AmiAuthResponse;
import com.f1.ami.web.auth.AmiAuthenticator;
import com.f1.ami.web.auth.BasicAmiAttribute;
import com.f1.ami.web.auth.BasicAmiAuthResponse;
import com.f1.ami.web.auth.BasicAmiAuthUser;
import com.f1.container.ContainerTools;
import com.f1.utils.PropertyController;

public class TestAuthenticator implements AmiAuthenticator {

        public void init(ContainerTools tools, PropertyController props) {
                // TODO Auto-generated method stub

        public AmiAuthResponse authenticate(String namespace, String location, String user, String password) {
                final Map<String, Object> attributes = new HashMap<>();
                attributes.put("ISDEV","false"); // Set to true for developer privileges 
                attributes.put("ISADMIN", "false"); // Set to true for admin privileges 
                attributes.put("DEFAULT_LAYOUT", "default_layout.ami");
                attributes.put("LAYOUTS", "layout1.ami,layout2.ami");

                Map<String, Object> allowedWindows = new HashMap<String, Object>();
                allowedWindows.put("namespace1", new HashSet(Arrays.asList("Window1PNL", "Window2PNL")));
                attributes.put("amiscript.variable.allowedWindows", allowedWindows); // This adds a custom AMI Session Variable called `allowedWindows` which will then be used in some custom script to control which windows are visible
                attributes.put("amiscript.variable.env", "UAT"); // This adds a custom AMI Session Variable called `env` to "UAT"

                // Use AmiAuthResponse.STATUS_GENERAL_ERROR if authentication failed.
                return new BasicAmiAuthResponse(AmiAuthResponse.STATUS_OKAY, null, new BasicAmiAuthUser(user, attributes));

        public String getPluginId() {
                return "TestAuthenticator";



Controlling which windows are visible using the onStartup Callback

  • The following is required: Dashboard Settings: User Preferences Namespace
// First, let's find out which dashboard the user has loaded.
String layoutNamespace = session.getUserPreferencesNamespace();

// Get set of Allowed Windows for the current dashboard, per entitlements.  Note, the allowedWindows map was defined and populated in the entitlements plugin above
Set allowedWindowsSet =  allowedWindows.get(layoutNamespace);

// Loop through all windows in the dashboard, marking any windows that are not in the entitlments as HIDDEN so the user does not have access to them
Map windowsMap = session.getWindowsMap();
for(String id: windowsMap.getKeys()){
  if(allowedWindowsSet == null || !allowedWindowsSet.contains(id)){
    Window w = windowsMap.get(id);