Open IDM Admin console customization based on role memberships

This topic has 13 replies, 6 voices, and was last updated 4 years ago by debarshi.

  • Author
    Posts
  • #9929
     sbgovil
    Participant

    Hello Everyone,

    We have a requirement of customizing Openidm admin console where users having different custom(non-OOTB) authorization/provisioning roles have access to the different parts of the admin console.

    Overall, we want to hide/show different tabs of the admin console specific to the custom role the login user belongs too.

    Any pointers to the solution of the above requirement will highly be appreciated.

    #10051
     Jake Feasel
    Moderator

    This is basically the “Delegated Administration” use case. This isn’t a feature that is supported currently, but you could possibly make some general progress in that direction by making some changes to the navigation config (openidm/ui/admin/default/config/AppConfiguration.js starting around line 122) and the router configuration (openidm/ui/admin/default/config/routes/AdminRoutesConfig.js). In addition, you would also need to be sure to adjust the backend authorization rules, as defined in script/access.js.

    In all cases, be sure to refer to the “_id” value of your custom authorization role.

    #17164
     cristianoburgo
    Participant

    Jake,
    i just followed your suggestion modifying the followng files:
    – ui-configuration.json:
    “roles” : {
    “openidm-authorized” : “ui-user”,
    “openidm-admin” : “ui-admin”,
    “d59dcf20-c5a5-4574-ae96-06640908c955” : “ui-admin”
    },
    where d59dcf20-c5a5-4574-ae96-06640908c955 is the objectid for the custom managed role.
    – access.js:
    adding the access rule for the custom managed role:
    an example:
    {
    “pattern” : “managed/*”,
    “roles” : “d59dcf20-c5a5-4574-ae96-06640908c955”,
    “methods” : “*”, // default to all methods allowed
    “actions” : “*”, // default to all actions allowed
    “customAuthz” : “disallowQueryExpression()”,
    “excludePatterns”: “repo,repo/*”
    },

    – AdminRoutesConfig.js:
    i don’t know how to modify it. My objective is to enable the users belonging to the custom role to see only the managed user menu.
    But i’m not lucky.

    #17179
     Jake Feasel
    Moderator

    I suggest changing ui-configuration like so:

    “d59dcf20-c5a5-4574-ae96-06640908c955” : “ui-delegated-admin”

    Each route within AdminRoutesConfig has a “role” assigned to it. There can be multiple roles defined, as a csv. For example, you can change the first one to look like so:

    
            "dashboardView" : {
                view: "org/forgerock/openidm/ui/admin/dashboard/Dashboard",
                role: "ui-admin,ui-delegated-admin",
                url: /^dashboard\/(.*)$/,
                pattern: "dashboard/?"
            },
    

    And likewise do the same for every other route you wish the ui-delegated-admin user to have access to.

    #17187
     cristianoburgo
    Participant

    just tried.
    modified the ui- configuration as:
    "d59dcf20-c5a5-4574-ae96-06640908c955" : "ui-helpdesk"

    and the openidm\ui\admin\default\config\routes\AdminRoutesConfig.js like :

    "dashboardView" : {
                view: "org/forgerock/openidm/ui/admin/dashboard/Dashboard",
                role: "ui-admin","ui-helpdesk",
                url: "dashboard/"

    but this error is shown: “Unauthorized access or session timeout.”
    Adding the ui-helpdesk on all views not change the behavior and running the dev tools on chrome the 401 error happen on the link: POST http://localhost:8080/openidm/maintenance?_action=status 401 (Unauthorized).

    Consider that on the access.js the role has the same privilege of openidm-admin:

    {
                "pattern"   : "*",
                "roles"     : "d59dcf20-c5a5-4574-ae96-06640908c955",
                "methods"   : "*", // default to all methods allowed
                "actions"   : "*", // default to all actions allowed
                "customAuthz" : "disallowQueryExpression()",
                "excludePatterns": "repo,repo/*"
    },
    #17191
     Jake Feasel
    Moderator

    Here’s one bug:

    role: "ui-admin","ui-helpdesk",

    Should read:

    role: "ui-admin,ui-helpdesk",

    Also, a 401 is an authentication error, not an authorization error (that would be a 403). I suspect the 401 is a red-herring. The real reason you are seeing “Unauthorized access or session timeout.” is because of the typo, above.

    • This reply was modified 4 years, 7 months ago by Jake Feasel.
    #17193
     cristianoburgo
    Participant

    Again the same error:
    Messages.js:76 error: Unauthorized access or session timeout.Object {message: “Unauthorized access or session timeout.”, type: “error”}
    jquery-2.1.1-min.js:5 POST http://localhost:8080/openidm/maintenance?_action=status 401 (Unauthorized)

    i did a :
    – broswser cache cleaning
    – openidm restart

    If we solve the issue, this use case can be useful to be added to the Integration guide ;-)

    #17197
     Jake Feasel
    Moderator

    Is managed/role/d59dcf20-c5a5-4574-ae96-06640908c955 assigned to the user as an “authzRole”? What do you see in the browser’s network trace for the request to /openidm/info/login, when submitting the user’s credentials? Also, what version of IDM are you working with?

    #17199
     cristianoburgo
    Participant

    Is managed/role/d59dcf20-c5a5-4574-ae96-06640908c955 assigned to the user as an “authzRole”? YES

    What do you see in the browser’s network trace for the request to /openidm/info/login, when submitting the user’s credentials?

    Request Headers

    Accept:application/json, text/javascript, */*; q=0.01
    Accept-Encoding:gzip, deflate, sdch, br
    Accept-Language:it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
    Cache-Control:no-cache
    Connection:keep-alive
    Content-Type:application/json
    Cookie:i18next=en
    Host:localhost:8080
    Pragma:no-cache
    Referer:http://localhost:8080/admin/
    User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36
    X-OpenIDM-NoSession:false
    X-OpenIDM-Password:Welcome1!
    X-OpenIDM-Username:cburgo
    X-Requested-With:XMLHttpRequest

    Response:

    Cache-Control:no-cache
    Content-Encoding:gzip
    Content-Type:application/json; charset=UTF-8
    Date:Tue, 02 May 2017 06:20:54 GMT
    Server:Jetty(9.2.z-SNAPSHOT)
    Set-Cookie:session-jwt=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlNBRVNfUEtDUzFfVjFfNSIsICJlbmMiOiAiQTEyOENCQ19IUzI1NiIgfQ.WZKGOOgKzXBs6jlJG2uXazmriB96u42BB-YcvEDm-q6xJUZ1mEj2LnRw-wo6hmavFD2RDWcNHAMmJY0EKYycYFuQR8fV2akMTLenpjlEy_KqmJvemXFfQRvr0JnQWhMz5Oe9owrbhv2HX5JXZWlKkBaNIvxutUkcpeRfNCBHS4lKfzezzpFelpJ6cfc2e9f-3bDPgWzn28Fmu9hpU9XmbTZU7yFb1bVQEt19T9rwBWHAs45nuRDOGlkXDwgSW0NC_tvl9D809BoVmxZQpUt0YxvQrop-h_gvRVNP4E4rrcasog5pROAiPaxGYJhPoTjHodZiapgS1xEpCpuKnO82HQ.pz1fg7ZSbeNNcVLXybQjZg.UrqVizHSoBcbnCv8yeggag8iGH-6JKeXLjfCTiCfMk6umJ8cQidHU0w_tx4IyBaHLn1ixNsvcKXOU42t8b2FdD4VJqvmcWrYzV5sey9U6OrnOe0MiyCJdJZjHEV6IdL72F0n98F1hAdCl9cN0JGqhfOCD2CtzHKmvPKbeMWhB3xT4fFUNbcSWHdJwf7tOrMNvU9q5AQdfdqqirJVIt_lcgIZ0HPX3CAfv7MwMVPBk1UnMTc-FHaf3hdavNQ79UMv0OfMmgmjSSi-Gx5236bWKMpaL73LfPbSOmFGEVfwnlSYtNr5UN89W312rydsGnHwNA45N1CweK4KIOfUWzAfx_2vtjMnY5QCbOcudJDBonV9p_O--wC0DjZkUr92yg66duRyXDfn3cYXmb-NaoeBa6E6q1guuJWbZ7fZcA-KrDvJ8EVq-ocminZLCRw4F1_oJSYArNeqq1rQlLZSKmIe0MjlYrG8pnIc5a0biWwTzsuHjX2R0mFvC7Tf5PniRSbL4hqBZmWgmCzOoeEqENH9L3b_a23osDhKHHZozACryBDYY7P5KBeA-VMR5DICCb3OawT5Mh4D_LLithV_7MvULw.EKMPgXV1udFOeMwu3t0Nxg; Path=/
    Transfer-Encoding:chunked
    Vary:Accept-Encoding, User-Agent

    TAB PREVIEW:

    {_id: "", class: "org.forgerock.services.context.SecurityContext", name: "security",…}
    authenticationId:"cburgo"
    authorization:{id: "d8e79ec4-2f67-49d6-b1a2-46da51314a2d", component: "managed/user",…}
    component:"managed/user"
    id:"d8e79ec4-2f67-49d6-b1a2-46da51314a2d"
    ipAddress:"0:0:0:0:0:0:0:1"
    roles:["openidm-authorized", "d59dcf20-c5a5-4574-ae96-06640908c955"]
    0:"openidm-authorized"
    1:"d59dcf20-c5a5-4574-ae96-06640908c955"
    class:"org.forgerock.services.context.SecurityContext"
    name:"security"
    parent:{class: "org.forgerock.caf.authentication.framework.MessageContextImpl", name: "jaspi",…}
    class:"org.forgerock.caf.authentication.framework.MessageContextImpl"
    name:"jaspi"
    parent:{class: "org.forgerock.services.context.TransactionIdContext",…}
    _id:""

    Response:

    {"_id":"","class":"org.forgerock.services.context.SecurityContext","name":"security","authenticationId":"cburgo","authorization":{"id":"d8e79ec4-2f67-49d6-b1a2-46da51314a2d","component":"managed/user","roles":["openidm-authorized","d59dcf20-c5a5-4574-ae96-06640908c955"],"ipAddress":"0:0:0:0:0:0:0:1"},"parent":{"class":"org.forgerock.caf.authentication.framework.MessageContextImpl","name":"jaspi","parent":{"class":"org.forgerock.services.context.TransactionIdContext","id":"9962967c-f1b9-4a35-ad94-0509e7b638a9-317","name":"transactionId","transactionId":{"value":"9962967c-f1b9-4a35-ad94-0509e7b638a9-317","subTransactionIdCounter":0},"parent":{"class":"org.forgerock.services.context.ClientContext","name":"client","remoteUser":null,"remoteAddress":"0:0:0:0:0:0:0:1","remotePort":63877,"certificates":"","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36","isExternal":true,"isSecure":false,"localAddress":"0:0:0:0:0:0:0:1","localPort":8080,"parent":{"class":"org.forgerock.services.context.AttributesContext","name":"attributes","parent":{"class":"org.forgerock.services.context.RequestAuditContext","name":"requestAudit","receivedTime":1493706054469,"parent":{"class":"org.forgerock.http.routing.UriRouterContext","name":"router","matchedUri":"/openidm","remainingUri":"/info/login","uriTemplateVariables":{},"originalUri":"http://localhost:8080/openidm/info/login","parent":{"class":"org.forgerock.http.session.SessionContext","name":"session","parent":{"class":"org.forgerock.services.context.RootContext","id":"9962967c-f1b9-4a35-ad94-0509e7b638a9-316","name":"root","parent":null}}}}}}}}}

    Also, what version of IDM are you working with? IDM 4.0.0 (639216c) on a local Win 10 computer on Orientdb.

    #17201
     Jake Feasel
    Moderator

    Well, everything looks right as far as I can tell from here. This is the trouble with extending the product in ways that it wasn’t yet built to support – odd things start cropping up. How comfortable are you with debugging javascript? You could put some breakpoints in the config/process/CommonConfig.js module, specifically for the EVENT_UNAUTHORIZED, and then look up the stack to see exactly what is triggering this behavior.

    #17763
     Sarris Overbosch
    Participant

    Trying to achieve the same here, for now I am able to add a custom internal role (with a readable name) and assigned it in access.js to the same places where openidm-admin is assigned. Also changed the ui-configuration to be aware of this role. I am able to log in as the support user but the console still shows to much information and has to much possibilities.
    Next step would be to revoke some access by editing the access.js again, but this will probably also break the admin console so I wanted to get rid of some of the menu items/widgets from the admin console. How can I achieve this? Should I alter the ui/admin/default/config/AppConfiguration.js to make this happen or are there other ways in achieving this?

    #17772
     Sarris Overbosch
    Participant

    So it looks like the admin console supports two roles, ui-user and ui-admin, and adding a third one does not really work (fails to get maintenance info because the session cookie is not present in the request)

    #18723
     vrioux
    Participant

    Another one trying to do this here.

    I’ve gone the route of adding a managed role.

    In ui-configuration, defined the managed role _id to a friendly ui name like ui-helpdesk.

    In AdminRoutesConfig, added the ui friendly name as a CSV next to ui-admin.

    Not sure how it would play out in AppConfiguration.js, but for now added the friendly ui name next to ui-admin as CSV.

    Added the managed role _id to access.js with the same rules as openidm-admin.

    Added the test user as authz to the managed role.

    Still no luck, a quick search in the default UI scripts shows that ui-admin is hardcoded everywhere… Sigh…

    #19705
     debarshi
    Participant

    Hello Jake

    We have similar requirements and I’ve created a managed role. Then had added the new role’s id in ui-configuration.js

    
    "roles" : {
                "openidm-authorized" : "ui-user",
                "openidm-admin" : "ui-admin",
                "f8f9e402-5129-41d4-8116-9e42b52aeafe" : "ui-rfu-admin"
            }
    

    Added this ui role in AppConfiguration.js

    
    "admin" : {
                                "role": "ui-admin,ui-rfu-admin",
                                "urls": {
                                    "dashboard": {
                                        "name": "config.AppConfiguration.Navigation.links.dashboard",
                                        "icon": "fa fa-dashboard",
                                        "url": "#dashboard/"
                                    },
                                    "configuration": {
                                      .................
    

    Added entry in access.js

    
    {
                "pattern"   : "*",
                "roles"     : "f8f9e402-5129-41d4-8116-9e42b52aeafe",
                "methods"   : "*", // default to all methods allowed
                "actions"   : "*" // default to all actions allowed
            }
    
    

    Now assigned this new role to a test user using Authz Role. But when i’m trying to login using this test user, I’m getting 403 Forbidden for /openidm/maintenance?_action=status

    Suprisingly if I make a call to this url using postman with same user id and password, I get proper response.

    Have noticed when it makes call to maintenance url, request header doesn’t have jwt_session rather has anynomous user

    
    Accept:application/json, text/javascript, */*; q=0.01
    Accept-Encoding:gzip, deflate, br
    Accept-Language:en-US,en;q=0.9
    Cache-Control:no-cache
    Connection:keep-alive
    Content-Length:0
    Content-Type:application/json
    Cookie:i18next=en
    Host:localhost:8443
    Origin:http://localhost:8443
    Pragma:no-cache
    Referer:http://localhost:8443/admin/
    User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
    X-OpenIDM-NoSession:true
    X-OpenIDM-Password:anonymous
    X-OpenIDM-Username:anonymous
    X-Requested-With:XMLHttpRequest
    
    • This reply was modified 4 years ago by debarshi.
Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?