I was wondering if there is a way to show on the metadata page only with services by roles, for example if the user has role "operator" : in the metadata servicestack page only can see and access the services B, C and if the user enters with admin role can view and access in the metadata page the services A,B,C,D for example
The metadata pages currently supports restricting the visibility and access of services based on the Request Attribute Restrictions but there's no support for Role-level or premission-level visibility.
Add it as a feature request if you would like to see future support for this.
Related
I wanted to capture user attributes coming from SAP IDP(Identity & Authentication tenant service like department,salutation ,company etc ,via UserAccessor SDK api,but although those attributes are set and has value in IDP user and all the integration with IDP and sub account is in place post authentication ,user attributes object is empty ,i am only able to retrieve specific attributes like first names ,last name,email address ,user groups etc via JWT and UserAccessor api ,but no luck with other attributes ,in IDP i have mentioned these attributes as well under assertion attributes in SAP Identity authentication tenant .
Please guide and help in this matter .
Thanks Siddharth
Update: As we have now identified the problem, I will update my answer to reflect that. The original answer below is outdated:
Okay so the problem is that you haven't mapped any additional user attributes from your Identity Provider (IdP) to your JWT. As far as I'm aware there are three things you will need to do:
You need to create attributes in your xs-security.json (the file you used to configure your XSUAA service instance). This documentation should explain how to do that.
You need to configure which attributes are exposed by your IdP (in your case the SAP Identity & Authentication service. This documentation looks like a good place to start looking).
You need to map the attributes exposed by your IdP to the attributes defined in your xs-security.json. You will probably need to reconfigure (i.e. delete, recreate and rebind) your XSUAA service instance with the updated config, before you can do this step. Then, navigate to your application in the Cloud Platform Cockpit, from the left toolbar click "Security > Roles" and create your mapping.
Let me know if this works for you!
Original Answer:
As far as I'm aware the default IdP does not support SAML. Without SAML, I'm not sure whether you can propagate any attributes from your IdP into the JWT.
Please also check out this discussion for more information.
I have developed a web application with following architecture:
Frontend : Angular 6
Backend : Java REST APIs with Springboot
I want to add authentication and authorization to it. For that I'm looking for some open source application (e.g. KeyCloak, Gluu etc.). I would like to know in which tool the below scenarios are supported.
There will be predefined set of Activities on UI (e.g. Add, Edit,
Delete etc)
There will be predefined Access Levels (e.g. Read, Write, No Access)
I should be able to create Roles, then assign activities and access levels to those roles and assign those roles to user.
Can you please help me to find out a tool which supports my above scenario?
I tried something for KeyCloak, but i couldn't find a way to add activities, access levels and map roles to it. I think everything there is governed by Role only.
I just realized that I need Activity based authorization and not Role based authorization. Please help me find some tool for that.
I'm not sure what is meant by activity based authorization but i suspect you actually mean permission based authorization, in example: Grant permissions to users to perform certain actions.
Shiro offers you permissions and role based authorization out of the box.
You can create roles, add permissions to these roles and assign them to a user. Supported are implicit and explicit roles, whereas one role can hold any number of permissions. You can even work with wildcards and group the permissions.
For more information you should take a look at the official Shiro entry and especially the web documentation for your project in particular. Shiro offers full support for Spring-Boot applications, you can find a HowTo here.
Shiro fully supports your described scenario.
I'm using Node.js with Loopback (based on Express) for the REST API. It has an ACL implementation that allows you to give/prevent access from/to parts of the API to a Role.
The front-end of the application is written with React and Redux.
The app will have a public and a private part, and I want people to be able to log in to /admin.
Next to the ACL for the REST resources, should there be a separate Authorization mechanism for the front-end?
Say I want to be able to access the #/admin page and my user is part of a role that allows you to look up information about users; How do I decide that my user can access the admin dashboard and how do I decide that my user may add a widget that makes use of the users API, to which his Role has been granted access?
Use flashboard for loopback admin dashboard.
Its automatically generate your admin panel based on your models configs.
vah7id.github.io/flashboard
Given the following scenario:
a RESTful API
that RESTful API has permissions/authorizations that can be granted to entire entity collections, and/or to particular entities, i.e. complex role based permission rules.
The API is (according to RESTful principles) HATEOS-driven (resource url's are revealed through the API. Once you login and get back the "user" resource, you are able to drive the entire API through links given in responses.
A front-end client (web app) that needs to use this API
Imagine now the front-end wants to build a menu. That menu is based on access to particular entities and/or entity collections. For example an "Administration" menu will be shown if the user has access to one of a number of different entities and/or collections.
How do I build the menu? I need to know the permissions the user has in order to build the menu propertly. I don't know all the permissions the user has because it would require walking the url's of the REST API to see all the objects the user has permissions on.
This seems like a tough thing to overcome, but maybe I am missing some obvious technique. How can this impedance mismatch overcome?
Your REST API can expose a resource (or it can be a part of the user resource returned after a user has been successfully signed in) which will contain information what resources the user can access and therefore what menu items should be available for this user.
I am developing a project with MongoDB, I have a scenario, so that I can restrict the visibility of data to the user based on their role, for example if I have a document of the form:
{
"testme1":"fooo",
"testme2":"foobar"
}
A user with role "admin" can see both "testme1" and "testme2", whereas "guest" can see only "testme2". What is the best way to define these authorization rule dynamically, so that my wrapper api should fetch the data only as per the rule. My approach of doing is to give the user a web "UI" to define a rule and based on his declaration keep a "XML" file in my server. Please let me know if someone has a better Idea,also if their is some Database level approach to do this
There is an authorization standard that exists which you can use to define your authorization policies. This standard is called XACML, the eXtensible Access Control Markup Language. It implements an authorization model called attribute-based access control (ABAC). You can read up on both topics here:
NIST's page on attribute-based access control (ABAC)
OASIS extensible access control markup language (XACML)
XACML defines an architecture with the notion of:
a policy decision point (PDP),
a policy enforcement point (PEP), and
a policy information point (PIP).
In the typical flow, the PEP protects your data / service / API. The PEP would send an authorization request to the PDP:
Can user Alice view record #123?
The PDP would turn to the PIP to retrieve missing attributes e.g. the user's role and clearance as well as resource attributes e.g. the sensitivity of data, a whitelist or blacklist... Based on the new information, the PDP can reach a decision: Permit or Deny. Access is allowed or blocked.
With XACML there is no limit to the richness of the authorization policies. I work for a company, Axiomatics, that implements XACML, and our solutions are used in manufacturing, healthcare, banking to secure access to sensitive data in a dynamic way (e.g. managers can edit documents that they own).
XACML enables externalized authorization that is managed centrally. It also enables what I like to call any-depth authorization meaning that you can apply XACML to web APIs, business logic, presentation UIs, as well as databases.
HTH