Custom/Managed Authorization Roles

This topic has 6 replies, 3 voices, and was last updated 4 years, 2 months ago by ravindareddy.

  • Author
    Posts
  • #7155
     ipulkit
    Participant

    I have created a managed role as ‘TestAuthRole’ and tried appending it to the following section of {project}/script/access.js

    // openidm-admin can request nearly anything (except query expressions on repo endpoints)
    {
    “pattern” : “*”,
    “roles” : “openidm-admin,managed/role/017b95d6-52cf-4cb0-aab1-f43c364b563b“,
    “methods” : “*”, // default to all methods allowed
    “actions” : “*”, // default to all actions allowed
    “customAuthz” : “disallowQueryExpression()”,
    “excludePatterns”: “repo,repo/*”
    },

    I have attached debuggers and see the role reference correct, why can’t i log into the admin console yet ?
    This is also returned “FINE: Request allowed”

    “d6da41ee-b7c8-4c64-8e16-461bdc0e18d0-2444″,”2016-01-27T12:12:41.351Z”,”authentication”,”d6da41ee-b7c8-4c64-8e16-461bdc0e18d0-2438″,”Harry.Potter”,”[“”171289dc-7ca8-4b79-8123-4c6043a13652″”]”,”SUCCESSFUL”,”[“”Harry.Potter””]”,”{“”id””:””6e891ad0-a38f-4965-87aa-2d0c861478e0″”,””component””:””managed/user””,””roles””:[“”017b95d6-52cf-4cb0-aab1-f43c364b563b””,””openidm-authorized””],””ipAddress””:””0:0:0:0:0:0:0:1″”}”,”[{“”moduleId””:””JwtSession””,””result””:””FAILED””,””reason””:{},””info””:{}},{“”moduleId””:””STATIC_USER””,””result””:””FAILED””,””reason””:{},””info””:{“”org.forgerock.authentication.principal””:””Harry.Potter””}},{“”moduleId””:””MANAGED_USER””,””result””:””SUCCESSFUL””,””info””:{“”org.forgerock.authentication.principal””:””Harry.Potter””}}]”
    “d6da41ee-b7c8-4c64-8e16-461bdc0e18d0-2450″,”2016-01-27T12:12:41.382Z”,”authentication”,”d6da41ee-b7c8-4c64-8e16-461bdc0e18d0-2447″,”Harry.Potter”,”[“”818f9595-a3bb-41cb-a8a4-d361c35edc08″”,””c6724cd4-6b60-4e4d-b461-b5c755129867″”]”,”SUCCESSFUL”,”[“”Harry.Potter””]”,”{“”id””:””6e891ad0-a38f-4965-87aa-2d0c861478e0″”,””component””:””managed/user””,””roles””:[“”017b95d6-52cf-4cb0-aab1-f43c364b563b””,””openidm-authorized””],””ipAddress””:””0:0:0:0:0:0:0:1″”}”,”[{“”moduleId””:””JwtSession””,””result””:””SUCCESSFUL””,””info””:{“”org.forgerock.authentication.principal””:””Harry.Potter””}}]”
    “d6da41ee-b7c8-4c64-8e16-461bdc0e18d0-2456″,”2016-01-27T12:12:41.466Z”,”authentication”,”d6da41ee-b7c8-4c64-8e16-461bdc0e18d0-2453″,,”[“”7945189b-6198-4513-9ee1-4257ba572b22″”]”,”FAILED”,”[]”,”{“”ipAddress””:””0:0:0:0:0:0:0:1″”}”,”[{“”moduleId””:””JwtSession””,””result””:””FAILED””,””reason””:{},””info””:{}},{“”moduleId””:””STATIC_USER””,””result””:””FAILED””,””reason””:{},””info””:{}},{“”moduleId””:””MANAGED_USER””,””result””:””FAILED””,””reason””:{},””info””:{}},{“”moduleId””:””INTERNAL_USER””,””result””:””FAILED””,””reason””:{},””info””:{}},{“”moduleId””:””ClientCert””,””result””:””FAILED””,””reason””:{},””info””:{}}]”

    could not find a better way to include authentication.csv

    • This topic was modified 6 years, 8 months ago by ipulkit.
    #7173
     Jake Feasel
    Moderator

    Your second example (the one without managed/user/) should work for the backend. If you want users of this role to be able to use the admin ui, you also need to update conf/ui-configuration.json, adding the role _id to the map of roles found there; something like this:

    “017b95d6-52cf-4cb0-aab1-f43c364b563b”: “ui-admin”

    #7180
     ipulkit
    Participant

    Oooooh ! Thanks a lot Jake, I’ll be sleeping in peace tonight.

    #7188
     ipulkit
    Participant

    Hi Jake,

    I tried this but it wouldn’t work. The JWT session fails while the other modules authenticate successfully

    Please see authentication csv below

    “5eecf357-7e25-463c-a4b0-7cbe2d81f529-69″,”2016-01-28T06:45:05.294Z”,”authentication”,”5eecf357-7e25-463c-a4b0-7cbe2d81f529-63″,”James.Smith”,”[“”9a236b53-f7b2-46f3-a441-00540c7cf4f6″”]”,”SUCCESSFUL”,”[“”James.Smith””]”,”{“”id””:””b5615405-03f7-41c9-80c7-7c280222e8f2″”,””component””:””managed/user””,””roles””:[“”openidm-authorized””,””017b95d6-52cf-4cb0-aab1-f43c364b563b””],””ipAddress””:””0:0:0:0:0:0:0:1″”}”,”[{“”moduleId””:””JwtSession””,””result””:””FAILED””,””reason””:{},””info””:{}},{“”moduleId””:””STATIC_USER””,””result””:””FAILED””,””reason””:{},””info””:{“”org.forgerock.authentication.principal””:””James.Smith””}},{“”moduleId””:””MANAGED_USER””,””result””:””SUCCESSFUL””,””info””:{“”org.forgerock.authentication.principal””:””James.Smith””}}]”
    “5eecf357-7e25-463c-a4b0-7cbe2d81f529-75″,”2016-01-28T06:45:05.330Z”,”authentication”,”5eecf357-7e25-463c-a4b0-7cbe2d81f529-72″,”James.Smith”,”[“”64091942-f455-4fdd-a355-32dec15cf7c8″”,””a8fba4c0-20cd-4318-b9d5-41b6f8e454f9″”]”,”SUCCESSFUL”,”[“”James.Smith””]”,”{“”id””:””b5615405-03f7-41c9-80c7-7c280222e8f2″”,””component””:””managed/user””,””roles””:[“”openidm-authorized””,””017b95d6-52cf-4cb0-aab1-f43c364b563b””],””ipAddress””:””0:0:0:0:0:0:0:1″”}”,”[{“”moduleId””:””JwtSession””,””result””:””SUCCESSFUL””,””info””:{“”org.forgerock.authentication.principal””:””James.Smith””}}]”
    “5eecf357-7e25-463c-a4b0-7cbe2d81f529-81″,”2016-01-28T06:45:05.407Z”,”authentication”,”5eecf357-7e25-463c-a4b0-7cbe2d81f529-78″,”James.Smith”,”[“”a8fba4c0-20cd-4318-b9d5-41b6f8e454f9″”,””6bcf652e-51c8-447d-a8b7-d558b436a638″”]”,”SUCCESSFUL”,”[“”James.Smith””]”,”{“”id””:””b5615405-03f7-41c9-80c7-7c280222e8f2″”,””component””:””managed/user””,””roles””:[“”openidm-authorized””,””017b95d6-52cf-4cb0-aab1-f43c364b563b””],””ipAddress””:””0:0:0:0:0:0:0:1″”}”,”[{“”moduleId””:””JwtSession””,””result””:””SUCCESSFUL””,””info””:{“”org.forgerock.authentication.principal””:””James.Smith””}}]”

    Please paste it in a text editor to have a better look.

    #7216
     Jake Feasel
    Moderator

    I double-checked and everything worked fine when I tried the approach I mentioned. Can you post the high-level details (URL+response codes) from the XHR calls that your browser makes when logging into the admin ui? For example:

    GET /openidm/login 200
    GET /openidm/managed/user/12345 200
    POST /openidm/maintenance?_action=status 200

    #7235
     ipulkit
    Participant

    Hey Jake,

    A restart did the trick, it works now ! Thank you for the assistance, you saved me a lot of time.

    #22565
     ravindareddy
    Participant

    Hi Ipul,

    Same like if i want give amadmin same kind of access what to do?

    User is created in AD,
    Also created a group,
    That group is assigned to the user,
    And now from openam side i can see the group which i created and user, So for that group i have given privilege.
    And tried login user with AD credentials but am not able to login?

    Could you please help me if you have any idea!!

    Thanks for your time.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?