Skip to main content

Posts

Showing posts from February, 2014

Conditional URL Policy Evaluation in OpenAM

To perform conditional URL evaluation (where there are arguments in the URL that will change and impact the policy decision), a custom policy evaluation plugins needs implementing - http://docs.forgerock.org/en/openam/11.0.0/dev-guide/index/chap-policy-spi.html
Use Case
URL to contain all information required to make a policy decision, but components of the URL vary adding context.
Eg – http://app.example.com/orgs/*/users/*?action=patch
In this example an organisation number prefixs users, whilst the user number suffixes users. A condition should exist where only users who are managers AND managers of the same organisation of the user they're accessing should be allowed.
Manager1, org=123 – http://app.example.com/orgs/123/user/456?action=patchALLOW Manager2, org=124 - http://app.example.com/orgs/123/user/456?action=patchDENY Manager2, org=123 - http://app.example.com/orgs/124/user/567?action=patchALLOW Manager1, org=123 - http://app.example.com/orgs/124/user/567?action=patchDENY

Imple…