Delegated Admin Within OpenIDM

A common use case for both internal and consumer identity management, is that of scoped or delegated administration.  For example, your managed user repository may contain objects from different business areas, consumer types or locations, with each requiring a specialist administrator to perform creates and deletes.

The authorization and custom endpoint model in OpenIDM is very simple to extend, to allow for authorization rules across a number of different scenarios.  The most simple I've picked is that of an attribute called "type" - you could make this attribute anything you like - but type is easy to explain.

For example  - all I require is that all users of "type" == "staff" are only managed via administrators who are also of "type" == "staff".  Users who are administrators, but of say "type" == "consumer" can't manage staff, they can only manage consumers.  Obviously type could be altered for any attribute that is applicable, such as location or project.

The first thing is to restrict the results that the base query all gives back.  I only want users of "type" == "staff" being returned in my query if I'm the staff admin.  To do this I created a custom endpoint called "scopedQuery".  This endpoint, basically checks the "type" of the user performing the query, then performs a query on OpenIDM to return only those users that match the query criteria.  I used the default "get-by-field-value" query in my repo.jdbc.json config - note as I'm using "type" as my query attribute, I needed to add this as a searchable attribute in the repo.jdbc.json config before creating my managed/users.  I then altered the access.js file to allow only certain admins access to the scopedQuery endpoint - note by default the only other users who can perform queries is openidm-admin so scopedQuery is the only entry point to my delegated admins!

Now that query is sorted, I then needed to add in some control over the create, read, delete, update and patch HTTP methods.  To do this, I created a simple function in the router-authz.js file called isSameType().  This function does as it says...and checks if the user performing the operation is the same "type" of the user they are performing the operation on.  I then call this function as a customAuthz method within access.js, whenever those methods are called against managed/user for the admins that I designate.

Simples :-)

Note this is an example and complex delegated administration functions would need modification. This assumes the REST API is being used for administration not the OpenIDM UI, which would need editing to accommodate the new administrators.

The code for this example is available on Github here.