access.js revision 39c49620d529487e3d1d181e2f713f6490d563a4
4632N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 4632N/A * Copyright (c) 2011-2012 ForgeRock AS. All rights reserved. 4632N/A * The contents of this file are subject to the terms 4632N/A * of the Common Development and Distribution License 4632N/A * (the License). You may not use this file except in 4632N/A * compliance with the License. 4632N/A * You can obtain a copy of the License at 4632N/A * See the License for the specific language governing 4632N/A * permission and limitations under the License. 4632N/A * When distributing Covered Code, include this CDDL 4632N/A * Header Notice in each file and include the License file 4632N/A * If applicable, add the following below the CDDL Header, 4632N/A * with the fields enclosed by brackets [] replaced by 4632N/A * your own identifying information: 4632N/A * "Portions Copyrighted [year] [name of copyright owner]" 4632N/A// A configuration for allowed HTTP requests. Each entry in the configuration contains a pattern 4632N/A// to match against the incoming request ID and, in the event of a match, the associated roles, 4632N/A// methods, and actions that are allowed for requests on that particular pattern. 4632N/A// pattern: A pattern to match against an incoming request's resource ID 4632N/A// roles: A comma separated list of allowed roles 4632N/A// methods: A comma separated list of allowed methods 4632N/A// actions: A comma separated list of allowed actions 4632N/A// customAuthz: A custom function for additional authorization logic/checks (optional) 4632N/A// excludePatterns: A comma separated list of patterns to exclude from the pattern match (optional) 4632N/A// A single '*' character indicates all possible values. With patterns ending in "/*", the "*" 4632N/A// acts as a wild card to indicate the pattern accepts all resource IDs "below" the specified 4632N/A// pattern (prefix). For example the pattern "managed/*" would match "managed/user" or anything 4632N/A// starting with "managed/". Note: it would not match "managed", which would need to have its 4632N/A "address1,address2,city,stateProvince,postalCode,country,siteImage," +
4632N/A "passPhrase,securityAnswer,securityQuestion";
4632N/A // Anyone can read from these endpoints 4632N/A "roles" :
"openidm-reg,openidm-authorized",
4632N/A // These options should only be available anonymously if securityQA is enabled 4632N/A "customAuthz" :
"checkIfUIIsEnabled('securityQuestions')" 4632N/A // Anonymous user can call the siteIdentification endpoint if it is enabled: 4632N/A "customAuthz" :
"checkIfUIIsEnabled('siteIdentification')" 4632N/A // Anonymous user can call the securityQA endpoint if it enabled: 4632N/A "customAuthz" :
"checkIfUIIsEnabled('securityQuestions')" 4632N/A // This is needed by both self reg and security questions 4632N/A "customAuthz" :
"checkIfUIIsEnabled('selfRegistration') || checkIfUIIsEnabled('securityQuestions')" 4632N/A // openidm-admin can request nearly anything (some exceptions being a few system endpoints) 4632N/A "methods" :
"*",
// default to all methods allowed 4632N/A "actions" :
"*",
// default to all actions allowed 4632N/A "customAuthz" :
"disallowQueryExpression()",
4632N/A "excludePatterns":
"system/*" 4632N/A // additional rules for openidm-admin that selectively enable certain parts of system/ 4632N/A "methods" :
"create,read,update,delete,patch,query",
// restrictions on 'action' 4632N/A "customAuthz" :
"disallowQueryExpression()" 4632N/A // Note that these actions are available directly on system as well 4632N/A "actions" :
"test,testConfig,createconfiguration,liveSync" 4632N/A // Additional checks for authenticated users 4632N/A "roles" :
"openidm-authorized",
// openidm-authorized is logged-in users 4632N/A "roles" :
"openidm-authorized",
4632N/A "pattern" :
"authentication",
4632N/A "roles" :
"openidm-authorized",
4632N/A "actions" :
"reauthenticate" 4632N/A "roles" :
"openidm-authorized",
4632N/A "methods" :
"create,read,update,patch,action,query",
// note the missing 'delete' - by default, users cannot delete things 4632N/A "excludePatterns":
"system/*" 4632N/A // enforcement of which notifications you can read and delete is done within the endpoint 4632N/A "roles" :
"openidm-authorized",
4632N/A // Workflow-related endpoints for authorized users 4632N/A "roles" :
"openidm-authorized",
4632N/A "customAuthz" :
"isMyTask()" 4632N/A "roles" :
"openidm-authorized",
4632N/A "customAuthz" :
"canUpdateTask()" 4632N/A "roles" :
"openidm-authorized",
4632N/A "actions" :
"createProcessInstance",
4632N/A "customAuthz":
"isAllowedToStartProcess()" 4632N/A "roles" :
"openidm-authorized",
4632N/A "customAuthz":
"isOneOfMyWorkflows()" 4632N/A // Clients authenticated via SSL mutual authentication 4632N/A "methods" :
"patch,action",
4632N/A "customAuthz" :
"isQueryOneOf({'managed/user': ['for-userName']}) && managedUserRestrictedToAllowedProperties('password')" 4632N/A "methods" :
"read,create,update,delete",
4632N/A// Additional custom authorization functions go here