Dynamic Resource Definition for Authorization Policies

This topic has 2 replies, 3 voices, and was last updated 3 years, 11 months ago by chris-fry-curtin.

  • Author
    Posts
  • #23650
     chris-fry
    Participant

    Hi,

    Is it possible in Access Manager to define Authorization Policies that protect resources with dynamic components like a username embedded in them?

    So, say I have a set of subjects in OpenAM, e.g.
    jsmith,
    jdoe

    and a set of Resources with user profiles for each e.g.
    https://example.com/profile/jsmith/
    https://example.com/profile/jdoe/

    Is it possible to define an Authorization Policy in Access Manager that allows an authenticated user to execute operations against their own profile?

    So the Resource pattern would be something like:
    https://example.com/profile/<uid>/

    I.e. jsmith could access https://example.com/profile/jsmith/, but jdoe could not and vice versa for https://example.com/profile/jdoe/.

    Chris

    • This topic was modified 3 years, 11 months ago by chris-fry. Reason: Typo
    #23652
     Peter Major
    Moderator

    Yes, this is possible, but probably not out of the box. With a custom policy condition implementation you should be able to verify that the subject making the request and the target resource are the same (taking username case insensitivity into account).

    #23715
     chris-fry-curtin
    Participant

    Thanks for your assistance, Peter,

    I was able to get this working as you suggested, using a Custom Policy Condition Script.

    Example Script:

    // Allow owning user to access their own profile
    
    var uid = identity.getAttribute("uid").iterator().next();
    var resource_pattern = new RegExp("https://example.com(:443)?/profile/(" + uid + ")/.*");
    authorized = resource_pattern.test(resourceURI);

    For others who are reading, I created the script in the OpenAM console, under Realm (in my case Top Level Realm), Scripts, New Script, Script Type: Policy Condition. Then configure an Authorization Policy as per the screenshot below. The script is set in the “Environments” conditions.

    Example Authorization Policy for Dynamic Resource

    Chris

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?