Even with the most secure transport possible, there is still a need to authenticate the client. After all, it is important to know who is accessing sensitive data. SyncML provides for three authentication layers:
Each layer's authentication may be overridden at lower layers. For example, the Client authentication may be overridden for a particular datastore, and that may be overridden for a particular object within that datastore.
SyncML Client/Server Authentication
SyncML Client/Server Authentication is the authentication of the Client and the Server. Client/Server Authentication is the most common authentication used in SyncML. This is where the credentials are presented in the SyncHdr and are used to authenticate the sender. For simple setups, this level of authentication may be enough. However, in cases where the Client is accessing datastores that contain sensitive information (e.g. payroll datastores), more authentication may be needed.
It is possible that a Client will need access to a datastore that has restrictions on it. For example, a Client may want to synchronize with a corporate datastore that contains the contact information for all of the company employees. It is possible that the user would be granted read-only rights, with only Human Resources people granted read-write rights.
The credentials for this level of authentication would be presented in the Alert used to start the synchronization with that particular datastore.
Object-level authentication is the least used authentication within SyncML. The purpose for this level is to allow individual objects to be accessible to a smaller number of clients than the datastore authentication would allow. For example, an accounting datastore might allow access to the general ledger within the accounting group, and only allow access to the salaries to the Chief Financial Officer and the Human Resources manager.