Skip to main content

Delegated Admin Within OpenIDM

A common use case for both internal and consumer identity management, is that of scoped or delegated administration.  For example, your managed user repository may contain objects from different business areas, consumer types or locations, with each requiring a specialist administrator to perform creates and deletes.

The authorization and custom endpoint model in OpenIDM is very simple to extend, to allow for authorization rules across a number of different scenarios.  The most simple I've picked is that of an attribute called "type" - you could make this attribute anything you like - but type is easy to explain.

For example  - all I require is that all users of "type" == "staff" are only managed via administrators who are also of "type" == "staff".  Users who are administrators, but of say "type" == "consumer" can't manage staff, they can only manage consumers.  Obviously type could be altered for any attribute that is applicable, such as location or project.

The first thing is to restrict the results that the base query all gives back.  I only want users of "type" == "staff" being returned in my query if I'm the staff admin.  To do this I created a custom endpoint called "scopedQuery".  This endpoint, basically checks the "type" of the user performing the query, then performs a query on OpenIDM to return only those users that match the query criteria.  I used the default "get-by-field-value" query in my repo.jdbc.json config - note as I'm using "type" as my query attribute, I needed to add this as a searchable attribute in the repo.jdbc.json config before creating my managed/users.  I then altered the access.js file to allow only certain admins access to the scopedQuery endpoint - note by default the only other users who can perform queries is openidm-admin so scopedQuery is the only entry point to my delegated admins!

Now that query is sorted, I then needed to add in some control over the create, read, delete, update and patch HTTP methods.  To do this, I created a simple function in the router-authz.js file called isSameType().  This function does as it says...and checks if the user performing the operation is the same "type" of the user they are performing the operation on.  I then call this function as a customAuthz method within access.js, whenever those methods are called against managed/user for the admins that I designate.

Simples :-)

Note this is an example and complex delegated administration functions would need modification. This assumes the REST API is being used for administration not the OpenIDM UI, which would need editing to accommodate the new administrators.

The code for this example is available on Github here.

Comments

Popular posts from this blog

WebAuthn Authentication in AM 6.5

ForgeRock AccessManagement 6.5, will have out of the box integration for the W3C WebAuthn. This modern “FIDO2” standard allows cryptographic passwordless authentication – integrating with a range of native authenticators, from USB keys to fingerprint and facial recognition systems found natively in many mobile and desktop operating systems.
Why is this so cool? Well firstly we know passwords are insecure and deliver a poor user experience. But aren’t there loads of strong MFA solutions out there already? Well, there are, but many are proprietary, require complex integrations and SDK’s and ultimately, don’t provide the level of agility that many CISO’s and application designers now require. 
Rolling out a secure authentication system today, will probably only result in further integration costs and headaches tomorrow, when the next “cool” login method emerges.
Having a standards based approach, allows for easier inter-operability and a more agile platform for change.
AM 6.5 has int…

Implementing Zero Trust & CARTA within AM 6.x

There is an increasing focus on perimeterless approaches to security design and the buzzy "defensive security architectures".  This blog will take a brief look at implementing a contextual and continuous approach to access management, that can help to fulfil those design aspirations.

The main concept, is to basically collect some sort of contextual data at login time, and again at resource access time - and basically look for differences between the two.  But why is this remotely interesting?  Firstly, big walls, don't necessarily mean safer houses.  The classic firewall approach to security.  Keeping the bad out and the good in.  That concept no longer works for the large modern enterprise.  The good and bad are everywhere and access control decisions should really be based on data above and beyond that directly related to the user identity, with enforcement as close as possible to the protected resource as possible.

With Intelligent AuthX, we can start to collect and s…

Forget Passwordless, What About Usernameless?

A year or so ago, I blogged about the wonderful world of passwordless and how WebAuthn was going to save the world!  Gone will be insecure passwords, with their terrible user experience, and contributions to data breaches and in with a standards driven, crypto based, technology agnostic way of authenticating a user. The panacea!  Well, the panacea might just be getting be getting a little better.

Take a look at the above blog for a quick "reccy" on how WebAuthn works and the main flows.  TLDR; we're using public/private key pairs for each website or service we want to authenticate against.  The private key gets stored somewhere safe - namely within the dedicated USB authenticator fob, or within the secure element on an operating system.

In ForgeRock Access Management 7.0 EA, the WebAuthn registration authentication node has been modified to now include a "Username to device" switch.  This essentially allows a user handle to be sent back down to the authenticato…