Skip to main content

Delegated Authentication

Delegated authentication allows you to define your own custom authentication mechanisms. The custom mechanisms can also perform basic user setup, for example, assigning roles and other properties.

Here is the sequence of events for a login attempt through a Caché Service that uses delegated authentication:

  1. A user attempts to access Caché through a Caché Service that has been configured to use delegated authentication.

  2. The system automatically invokes the ZAUTHENTICATE routine in the %SYS namespace. This routine contains your custom authentication code. It may also call other code containing additional custom authentication logic.

  3. If ZAUTHENTICATE succeeds, Caché grants the user access to the system and either creates or updates the user account information depending on whether or not this is the user's first login attempt.

  4. If ZAUTHENTICATE fails, Caché denies the user access to the system and sends the user an “Access Denied” error.


For more information on delegated authentication, read Delegated Authentication in the Caché Security Administration Guide.


If you are using HealthShare Unified Care Record, you cannot create a custom version of ZAUTHENTICATE to implement delegated authentication because Unified Care Record comes with its own version of the routine. Instead, you must customize methods in the class HS.Local.ZAUTHENTICATE. For more information, see “Unified Care Record's Authentication Mechanism” in the Unified Care Record Security Guide section of the Unified Care Record documentation.

FeedbackOpens in a new tab