October 29, 2018 at 1:59 pm #23650chris-fryParticipant
Is it possible in Access Manager to define Authorization Policies that protect resources with dynamic components like a username embedded in them?
So, say I have a set of subjects in OpenAM, e.g.
Is it possible to define an Authorization Policy in Access Manager that allows an authenticated user to execute operations against their own profile?
So the Resource pattern would be something like:
October 30, 2018 at 7:16 am #23652Peter MajorModerator
- This topic was modified 3 years, 11 months ago by chris-fry. Reason: Typo
Yes, this is possible, but probably not out of the box. With a custom policy condition implementation you should be able to verify that the subject making the request and the target resource are the same (taking username case insensitivity into account).October 31, 2018 at 2:22 pm #23715chris-fry-curtinParticipant
Thanks for your assistance, Peter,
I was able to get this working as you suggested, using a Custom Policy Condition Script.
// Allow owning user to access their own profile var uid = identity.getAttribute("uid").iterator().next(); var resource_pattern = new RegExp("https://example.com(:443)?/profile/(" + uid + ")/.*"); authorized = resource_pattern.test(resourceURI);
For others who are reading, I created the script in the OpenAM console, under Realm (in my case Top Level Realm), Scripts, New Script, Script Type: Policy Condition. Then configure an Authorization Policy as per the screenshot below. The script is set in the “Environments” conditions.
You must be logged in to reply to this topic.