Application Access Control

MATLAB^® Production Server™ uses Azure^® Active Directory (Azure AD) to restrict access to deployed applications to only certain groups of users. If access control is enabled on the server that a MATLAB client application communicates with, the client application must send a bearer token when it sends requests to the server. The bearer token identifies the user that is executing the client application. Based on the bearer token, the server grants or denies access to client applications for executing deployed applications.

Prerequisites

Access control is enabled on the server. For more information, see Application Access Control.
The MATLAB Production Server add-on of the deployed application is installed on the client machine. For more information about installing add-ons, see Execute Deployed MATLAB Functions.

Configure Access Control

Configure access control on the client machine to send a bearer token in server requests. You can send either a system-generated bearer token or specify a bearer token.

Use System-generated Bearer Token

To enable a client application that you write using MATLAB Client for MATLAB Production Server to send a system-generated bearer token to a server, you must set the Azure AD app registration credentials and set an access token policy. Obtain the ServerID, ClientID and IssuerURI of the Azure AD apps that your organization uses for user authorization from the MATLAB Production Server administrator or the Azure AD administrator of your organization. Typically, you must set these credentials once for each server instance that your MATLAB client applications communicate with.

ServerID — Application ID of the server app registered on Azure AD that is used for user authorization. The ServerID value must be the same as the appID value in the access control configuration file present on the MATLAB Production Server instance. For more information, see Access Control Configuration File.
ClientID — Application ID of the client app registered on Azure AD that is used for user authorization.
IssuerURI — URI followed by the Azure AD tenant ID that the client uses to generate a bearer token for a user.

Run the prodserver.addon.accessTokenPolicy function at the MATLAB command prompt to set the Azure AD app registration credentials and specify the automatic access token policy to use a system-generated bearer token. Also specify as arguments, the host name and port of the MATLAB Production Server instance that your add-on communicates with.

>> prodserver.addon.accessTokenPolicy('localhost',51133,'automatic',...
'ClientID','0d963963-e439-41d0-822c-b15ayu8937c3',...
'ServerID','d19d8po0-7977-4213-a05a-10kjna82fbaf',...
'IssuerURI','https://login.microsoftonline.com/yourcompany.com')

The MATLAB Production Server Add-On Explorer does not support setting the Azure AD app registration credentials.

Specify Bearer Token

If you want to specify your own bearer token, you can use the prodserver.addon.accessTokenPolicy function to do so.

>> prodserver.addon.accessTokenPolicy('localhost',51133,'your_access_token')

Set Access Token Policy Using MATLAB Production Server Add-On Explorer App

You can use the MATLAB Production Server Add-On Explorer to switch between using a system-generated bearer token or specifying your own bear token.

In the MATLAB Production Server Add-On Explorer app, select the server that you want your client applications to communicate with, then click Config.
In the dialog box that opens, configure the access token policy. Choose Generate token automatically to let the software generate an access token for you, or choose Use this token and specify the access token. Click OK to save your selection.
You must set the serverID, clientID, and IssuerURI parameters from the command line before making a selection to use the system-generated token.