access.js revision bcabf58f014780d0080c944621a579b77ada2d31
3261N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 0N/A * Copyright (c) 2011-2014 ForgeRock AS. All rights reserved. 0N/A * The contents of this file are subject to the terms 2362N/A * of the Common Development and Distribution License 0N/A * (the License). You may not use this file except in 2362N/A * compliance with the License. 0N/A * You can obtain a copy of the License at 0N/A * See the License for the specific language governing 0N/A * permission and limitations under the License. 0N/A * When distributing Covered Code, include this CDDL 0N/A * Header Notice in each file and include the License file 0N/A * If applicable, add the following below the CDDL Header, 0N/A * with the fields enclosed by brackets [] replaced by 2362N/A * your own identifying information: 2362N/A * "Portions Copyrighted [year] [name of copyright owner]" 0N/A// A configuration for allowed HTTP requests. Each entry in the configuration contains a pattern 0N/A// to match against the incoming request ID and, in the event of a match, the associated roles, 2811N/A// methods, and actions that are allowed for requests on that particular pattern. 2811N/A// pattern: A pattern to match against an incoming request's resource ID 2811N/A// roles: A comma separated list of allowed roles 2811N/A// methods: A comma separated list of allowed methods 2680N/A// actions: A comma separated list of allowed actions 2680N/A// customAuthz: A custom function for additional authorization logic/checks (optional) 2680N/A// excludePatterns: A comma separated list of patterns to exclude from the pattern match (optional) 0N/A// A single '*' character indicates all possible values. With patterns ending in "/*", the "*" 2811N/A// acts as a wild card to indicate the pattern accepts all resource IDs "below" the specified 2811N/A// pattern (prefix). For example the pattern "managed/*" would match "managed/user" or anything 2811N/A// starting with "managed/". Note: it would not match "managed", which would need to have its 2811N/A "postalAddress,address2,city,stateProvince,postalCode,country,siteImage," +
2811N/A "passPhrase,securityAnswer,securityQuestion";
2811N/A // Anyone can read from these endpoints 2811N/A "roles" :
"openidm-reg,openidm-authorized",
2811N/A // These options should only be available anonymously if securityQA is enabled 2811N/A "customAuthz" :
"checkIfUIIsEnabled('securityQuestions')" 2811N/A // Anonymous user can call the siteIdentification endpoint if it is enabled: 2811N/A "customAuthz" :
"checkIfUIIsEnabled('siteIdentification')" 2811N/A // Anonymous user can call the securityQA endpoint if it enabled: 2811N/A "customAuthz" :
"checkIfUIIsEnabled('securityQuestions')" 2811N/A // This is needed by both self reg and security questions 2811N/A "customAuthz" :
"checkIfUIIsEnabled('selfRegistration') || checkIfUIIsEnabled('securityQuestions')" 2811N/A // openidm-admin can request nearly anything (some exceptions being a few system endpoints) 2811N/A "methods" :
"*",
// default to all methods allowed 2811N/A "actions" :
"*",
// default to all actions allowed 2811N/A "customAuthz" :
"disallowQueryExpression()",
2811N/A "excludePatterns":
"system/*" 2811N/A // additional rules for openidm-admin that selectively enable certain parts of system/ 2811N/A "methods" :
"create,read,update,delete,patch,query",
// restrictions on 'action' 2811N/A "customAuthz" :
"disallowQueryExpression()" 2811N/A // Note that these actions are available directly on system as well 2811N/A "actions" :
"test,testConfig,createconfiguration,liveSync" 2811N/A // Additional checks for authenticated users 2811N/A "roles" :
"openidm-authorized",
// openidm-authorized is logged-in users 2811N/A "roles" :
"openidm-authorized",
2811N/A "pattern" :
"authentication",
2811N/A "roles" :
"openidm-authorized",
2811N/A "actions" :
"reauthenticate" 2811N/A "roles" :
"openidm-authorized",
2811N/A "methods" :
"read,update,patch,action,query",
// note the missing 'delete' - by default, users cannot delete themselves 2811N/A "excludePatterns":
"system/*" 2811N/A // enforcement of which notifications you can read and delete is done within the endpoint 2811N/A "roles" :
"openidm-authorized",
2811N/A // Workflow-related endpoints for authorized users 2811N/A "roles" :
"openidm-authorized",
2811N/A "customAuthz" :
"request.params.userId[0] === request.security.id" 2811N/A "roles" :
"openidm-authorized",
2811N/A "customAuthz" :
"request.params.userId[0] === request.security.id" 2811N/A "roles" :
"openidm-authorized",
2811N/A "customAuthz" :
"canUpdateTask()" 2811N/A "roles" :
"openidm-authorized",
2811N/A "customAuthz":
"isAllowedToStartProcess()" 2811N/A "roles" :
"openidm-authorized",
2811N/A "customAuthz":
"isOneOfMyWorkflows()" 2811N/A // Clients authenticated via SSL mutual authentication 2811N/A "methods" :
"patch,action",
2811N/A "customAuthz" :
"isQueryOneOf({'managed/user': ['for-userName']}) && managedUserRestrictedToAllowedProperties('password')" 2811N/A "methods" :
"read,create,update,delete",
2811N/A// Additional custom authorization functions go here