Application Access Control

MATLAB® Production Server™ pay as you go (PAYG) uses Azure® Active Directory (Azure AD) to restrict access to deployed applications to only certain groups of users.

Note

  • Application access control is available only when you make server requests using the MATLAB Production Server RESTful API.

  • The MATLAB Production Server deployment on AWS® must use HTTPS to access the MATLAB Production Server dashboard.

  • All users can access all applications by default.

To enable access control, configure Azure AD and define access control policy rules in the Application Access Control tab of the MATLAB Production Server (PAYG) dashboard. You can then generate an access token for the groups of users that you want to allow to access certain applications. Use this access token in the HTTP authorization header when you make a request to the server using the MATLAB Production Server RESTful API.

You must log in to the dashboard as a global admin or manager to configure application access control.

Screen shot of application access control tab that provides an option to restrict access to deployed applications to certain users or allow access for all users.

Prerequisites

To use Azure AD for application access control, you must register a server application and a client application in the Azure portal using Azure App registrations. These applications are different from the application that you might have registered for dashboard access control. These applications are not related to the applications deployed to MATLAB Production Server or client applications written using the MATLAB Production Server client libraries.

Note

The application registration process is determined by Azure and is subject to change.

Register Server Application in Azure

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > App registrations. Select New registration.

  3. In the resulting pane, enter the name of the application (for example, MATLAB Production Server App) then select Register.

  4. In the application that you registered, select Expose an API in the left pane.

  5. In the pane that opens, click Add a scope, and enter the scope information for your application. Click Add Scope to save the information. For more information on adding a scope, see Azure documentation. The following table lists the fields and values that you enter to add a scope.

    FieldValue
    Scope name

    Enter a name, for example, user_impersonation.

    Who can consentSelect Admin and users.
    Admin consent display name

    Enter a name, for example, Access MATLAB Production Server App.

    Admin consent description

    Enter a description, for example, Allow the application to access MATLAB Production Server App on behalf of the signed-in user.

    User consent display name

    Enter a name, for example, Access MATLAB Production Server App.

    User consent description

    Enter a description, for example, Allow the application to access MATLAB Production Server App on behalf of the signed-in user.

    StateSelect Enabled.

  6. Click Manifest in the left navigation pane. In the JSON that is displayed in the resulting pane, set the value for groupMembershipClaims to "SecurityGroup". Click Save.

Register Client Application in Azure

Register a client application in Azure to generate an access token to restrict the execution of deployed applications to only a certain group of users. You can register the client application as either a native app or a web app. If you register the client application as a native app, users have to log in using a user name and password to generate the access token. If you register the client application as a web app, users have to log in using the browser with single sign-on to generate the access token.

Registering client applications can require higher privileges in Azure based on your organization setup.

Register Client Application as Native Client

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > App registrations. Select New registration.

  3. In the pane that opens, enter the following registration information for your application, then click Register.

    FieldValue
    Name

    Enter a name, for example, MATLAB Production Server Native Client.

    Redirect URISelect Public client/native (mobile & desktop).

  4. Click Manifest in the left navigation pane. In the JSON that is displayed in the pane that opens, set the value for allowPublicClient to true. Click Save.

  5. Click API permissions in the left navigation pane. Click Add a permission.

  6. In the pane that opens, click APIs my organization uses.

  7. Search for the MATLAB Production Server App server application that you registered earlier. In the pane that opens, select the scope name (for example, user_impersonation) then click Add permissions.

Register Client Application as Web Client

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > App registrations. Select New registration.

  3. In the pane that opens, enter the following registration information for your application, then click Register.

    FieldValue
    Name

    Enter a name, for example, MATLAB Production Server Web Client.

    Redirect URISelect Web. Enter a valid redirect URI that will be used by your client application

  4. Select Certificates & secrets in the left navigation pane.

  5. Under Client secrets, create a new client secret, and save the value of the secret.

  6. Click API permissions in the left navigation pane. Click Add a permission.

  7. In the pane that opens, click APIs my organization uses.

  8. Search for the MATLAB Production Server App server application that you registered earlier. In the pane that opens, select the scope name, for example, user_impersonation, then click Add permissions.

Configure Identity Provider

After you register the server application and client application in the Azure portal, configure Azure AD, which is the identity provider. To configure Azure AD, find the values for the tenant ID for your organization and the application ID for the server application that you created for application access control in the Azure portal. Enter these values in the Identity Provider section in the Application Access Control tab of the MATLAB Production Server (PAYG) dashboard, then click Save. Saving the values can take up to 30 seconds on a Windows® VM.

Screen shot of configuring an identity provider. For Azure AD, provide the tenant ID and production server app ID.

Configure Tenant ID

Find the Directory (tenant) ID in the Azure portal.

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > Properties.

  3. Copy the parameter value for Directory (tenant) ID and paste it into the text box corresponding to the Tenant ID in the dashboard.

Configure Production Server App ID

Find the Application (client) ID of the server application in the Azure portal. This is the application that you registered earlier.

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > App registrations.

  3. Select the application used for MATLAB Production Server, for example, MATLAB Production Server App.

  4. Copy the parameter value for Application (client) ID and paste it into the text box corresponding to the Production Server App ID in the dashboard.

Specify Access Control Policy Rules

Specify the applications that certain user groups can access by defining access control policy rules. To define the rule, click Add Rule in the Access Control Policy section in the Application Access Control tab of the MATLAB Production Server dashboard, and specify the following information.

Screen shot of creating access control policy rules. Specify a rule ID, rule description, Azure AD groups, and deployed applications.

FieldValue
Rule ID

Enter a name for the rule.

DescriptionEnter a description for your rule.
GroupsEnter the object IDs for the Azure AD groups. Follow the instructions shown to find object IDs in Azure.
ApplicationsSelect specific applications that you want to allow the specified groups of users to access or select Apply this rule to all applications to select all applications.

Generate Access Token

Generate an access token for the groups of users that you want to allow to access the deployed applications. If the registered client application is a native app, users have to log in using a user name and password, or integrated Windows authentication to generate the access token. If the registered client application is a web app, users have to log in using the browser with single sign-on to generate the access token. You can use the Microsoft® identity platform authentication libraries (Microsoft-supported client libraries or compatible client libraries in different programming languages) to generate the access token. For more information, see Microsoft documentation. Use this access token in the HTTP authorization header when you make a request to the server using the MATLAB Production Server RESTful API. The format for this header is Authorization:Bearer <access token>.

Related Topics

MATLAB Production Server Documentation

Support