access.js revision 4098d8e8496291ef7a21f5f36fabd292d12f8cdb
0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 0N/A * Copyright (c) 2011-2012 ForgeRock AS. All rights reserved. 0N/A * The contents of this file are subject to the terms 0N/A * of the Common Development and Distribution License 0N/A * (the License). You may not use this file except in 0N/A * compliance with the License. 0N/A * You can obtain a copy of the License at 0N/A * See the License for the specific language governing 0N/A * permission and limitations under the License. 0N/A * When distributing Covered Code, include this CDDL 0N/A * Header Notice in each file and include the License file 0N/A * If applicable, add the following below the CDDL Header, 0N/A * with the fields enclosed by brackets [] replaced by 0N/A * your own identifying information: 0N/A * "Portions Copyrighted [year] [name of copyright owner]" 0N/A// A configuration for allowed HTTP requests. Each entry in the configuration contains a pattern 0N/A// to match against the incoming request ID and, in the event of a match, the associated roles, 0N/A// methods, and actions that are allowed for requests on that particular pattern. 0N/A// pattern: A pattern to match against an incoming request's resource ID 0N/A// roles: A comma separated list of allowed roles 0N/A// methods: A comma separated list of allowed methods 0N/A// actions: A comma separated list of allowed actions 0N/A// customAuthz: A custom function for additional authorization logic/checks (optional) 0N/A// excludePatterns: A comma separated list of patterns to exclude from the pattern match (optional) 0N/A// A single '*' character indicates all possible values. With patterns ending in "/*", the "*" 0N/A// acts as a wild card to indicate the pattern accepts all resource IDs "below" the specified // pattern (prefix). For example the pattern "managed/*" would match "managed/user" or anything // starting with "managed/". Note: it would not match "managed", which would need to have its // own entry in the config. "address1,address2,city,stateProvince,postalCode,country,siteImage," +
"passPhrase,securityAnswer,securityQuestion";
// Anyone can read from these endpoints "roles" :
"openidm-reg,openidm-authorized",
// These options should only be available anonymously if securityQA is enabled "customAuthz" :
"checkIfUIIsEnabled('securityQuestions')" // Anonymous user can call the siteIdentification endpoint if it is enabled: "customAuthz" :
"checkIfUIIsEnabled('siteIdentification')" // Anonymous user can call the securityQA endpoint if it enabled: "customAuthz" :
"checkIfUIIsEnabled('securityQuestions')" // This is needed by both self reg and security questions "methods" :
"read,action",
"customAuthz" :
"checkIfUIIsEnabled('selfRegistration') || checkIfUIIsEnabled('securityQuestions')" // openidm-admin can request nearly anything (some exceptions being a few system endpoints) "roles" :
"openidm-admin",
"methods" :
"*",
// default to all methods allowed "actions" :
"*",
// default to all actions allowed "customAuthz" :
"disallowQueryExpression()",
"excludePatterns":
"system/*" // additional rules for openidm-admin that selectively enable certain parts of system/ "roles" :
"openidm-admin",
"methods" :
"create,read,update,delete,patch,query",
// restrictions on 'action' "customAuthz" :
"disallowQueryExpression()" // Note that these actions are available directly on system as well "roles" :
"openidm-admin",
"actions" :
"test,testConfig,createconfiguration,liveSync" // Additional checks for authenticated users "roles" :
"openidm-authorized",
// openidm-authorized is logged-in users "methods" :
"read,action",
"roles" :
"openidm-authorized",
"pattern" :
"authentication",
"roles" :
"openidm-authorized",
"actions" :
"reauthenticate" "roles" :
"openidm-authorized",
"methods" :
"create,read,update,patch,action,query",
// note the missing 'delete' - by default, users cannot delete things "excludePatterns":
"system/*" // enforcement of which notifications you can read and delete is done within the endpoint "roles" :
"openidm-authorized",
"methods" :
"read,delete",
// Workflow-related endpoints for authorized users "roles" :
"openidm-authorized",
"customAuthz" :
"isMyTask()" "roles" :
"openidm-authorized",
"methods" :
"read,update",
"customAuthz" :
"canUpdateTask()" "roles" :
"openidm-authorized",
"actions" :
"createProcessInstance",
"customAuthz":
"isAllowedToStartProcess()" "roles" :
"openidm-authorized",
"customAuthz":
"isOneOfMyWorkflows()" // Clients authenticated via SSL mutual authentication "roles" :
"openidm-cert",
"methods" :
"patch,action",
"customAuthz" :
"isQueryOneOf({'managed/user': ['for-userName']}) && managedUserRestrictedToAllowedProperties('password')" "pattern" :
"security/*",
"roles" :
"openidm-admin",
"methods" :
"read,create,update,delete",
// Additional custom authorization functions go here