Skip to main content

Delegated Admin Within OpenIDM

A common use case for both internal and consumer identity management, is that of scoped or delegated administration.  For example, your managed user repository may contain objects from different business areas, consumer types or locations, with each requiring a specialist administrator to perform creates and deletes.

The authorization and custom endpoint model in OpenIDM is very simple to extend, to allow for authorization rules across a number of different scenarios.  The most simple I've picked is that of an attribute called "type" - you could make this attribute anything you like - but type is easy to explain.

For example  - all I require is that all users of "type" == "staff" are only managed via administrators who are also of "type" == "staff".  Users who are administrators, but of say "type" == "consumer" can't manage staff, they can only manage consumers.  Obviously type could be altered for any attribute that is applicable, such as location or project.

The first thing is to restrict the results that the base query all gives back.  I only want users of "type" == "staff" being returned in my query if I'm the staff admin.  To do this I created a custom endpoint called "scopedQuery".  This endpoint, basically checks the "type" of the user performing the query, then performs a query on OpenIDM to return only those users that match the query criteria.  I used the default "get-by-field-value" query in my repo.jdbc.json config - note as I'm using "type" as my query attribute, I needed to add this as a searchable attribute in the repo.jdbc.json config before creating my managed/users.  I then altered the access.js file to allow only certain admins access to the scopedQuery endpoint - note by default the only other users who can perform queries is openidm-admin so scopedQuery is the only entry point to my delegated admins!

Now that query is sorted, I then needed to add in some control over the create, read, delete, update and patch HTTP methods.  To do this, I created a simple function in the router-authz.js file called isSameType().  This function does as it says...and checks if the user performing the operation is the same "type" of the user they are performing the operation on.  I then call this function as a customAuthz method within access.js, whenever those methods are called against managed/user for the admins that I designate.

Simples :-)

Note this is an example and complex delegated administration functions would need modification. This assumes the REST API is being used for administration not the OpenIDM UI, which would need editing to accommodate the new administrators.

The code for this example is available on Github here.

Comments

Popular posts from this blog

WebAuthn Authentication in AM 6.5

ForgeRock AccessManagement 6.5 , will have out of the box integration for the W3C WebAuthn . This modern “FIDO2” standard allows cryptographic passwordless authentication – integrating with a range of native authenticators, from USB keys to fingerprint and facial recognition systems found natively in many mobile and desktop operating systems. Why is this so cool? Well firstly we know passwords are insecure and deliver a poor user experience. But aren’t there loads of strong MFA solutions out there already? Well, there are, but many are proprietary, require complex integrations and SDK’s and ultimately, don’t provide the level of agility that many CISO’s and application designers now require.  Rolling out a secure authentication system today, will probably only result in further integration costs and headaches tomorrow, when the next “cool” login method emerges. Having a standards based approach, allows for easier inter-operability and a more agile platform for chan

Implementing Zero Trust & CARTA within AM 6.x

There is an increasing focus on perimeterless approaches to security design and the buzzy "defensive security architectures".  This blog will take a brief look at implementing a contextual and continuous approach to access management, that can help to fulfil those design aspirations. The main concept, is to basically collect some sort of contextual data at login time, and again at resource access time - and basically look for differences between the two.  But why is this remotely interesting?  Firstly, big walls, don't necessarily mean safer houses.  The classic firewall approach to security.  Keeping the bad out and the good in.  That concept no longer works for the large modern enterprise.  The good and bad are everywhere and access control decisions should really be based on data above and beyond that directly related to the user identity, with enforcement as close as possible to the protected resource as possible. With Intelligent AuthX, we can start to collect an

Set Session Limits Using Context

Session limits typically cover 4 main items: total number of sessions a user can have at any one time, the max length of each session, the max idle time and max caching time. In an out of the box deployment in ForgeRock AM, these settings are configured via the session service.  However there are few tweaks than can be made to allow these settings to be run via a per user or per tree flow.  For example. think of the following scenario - user is logging via a device, location or network that has a higher risk rating.   Perhaps you would like to reduce session length on a BYOD device running an out of support version of Android to have a length of only 15 minutes.  If they switched back to their main trusted device, we can spin that back to 1hr. Another example, could be the spotting of a higher suspicion of bot activity for a particular user.  Maybe we need to set the entire quota limit to 1, to stop a bot spawning multiple sessions with the same credentials. This is all pretty trivial