Authentication and Roles
Depending on how a user authenticates, the user is given a set of default internal roles. These roles determine how much access the user has to the server. IDM includes a number of default internal roles, on the openidm/internal/roles
endpoint. You can configure additional internal roles to customize how you restrict access to the server.
The following internal roles are defined by default (in conf/repo.init.json
):
- openidm-admin
IDM administrator role, excluded from the reauthorization required policy definition by default.
- openidm-authorized
Default role for any user who authenticates with a username and password.
- openidm-cert
Default role for any user who authenticates with mutual SSL authentication.
This role applies only to mutual authentication. The shared secret (certificate) must be adequately protected. The
openidm-cert
role is excluded from the reauthorization required policy definition by default.- openidm-reg
Assigned to users who access IDM with the default anonymous account.
The
openidm-reg
role is excluded from the reauthorization required policy definition by default.- openidm-tasks-manager
Role for users who can be assigned to workflow tasks.
- platform-provisioning
Role for platform provisioning access. If you are not planning to run AM and IDM together as a platform, you can safely remove this role.
When a user authenticates, IDM calculates that user's roles as follows:
Each authentication module includes a
defaultUserRoles
property. Depending on how the user authenticates, IDM assigns the roles listed in that module'sdefaultUserRoles
property to the user on authentication. ThedefaultUserRoles
property is specified as an array. For most authentication modules, the user obtains theopenidm-authorized
role on authentication. For example:{ "name" : "MANAGED_USER", "properties" : { ... "defaultUserRoles" : [ "internal/role/openidm-authorized" ] }, ... }
The
userRoles
property in an authentication module maps to an attribute (or list of attributes) in a user entry that contains that user's authorization roles. This attribute is usuallyauthzRoles
, unless you have changed how user roles are stored.Any internal roles that are conditionally applied are also calculated and included in the user's
authzRoles
property at this point.If the authentication module includes a
groupRoleMapping
,groupMembership
, orgroupComparison
property, IDM can assign additional roles to the user, depending on the user's group membership on an external system. For more information, see "Use Groups to Control Access to IDM".
Note
The roles calculated in sequence are cumulative. Roles with temporal restrictions are not included in that list if the current time is outside of the time assigned to the role.
Dynamic Role Calculation
By default, IDM calculates a user's roles only on authentication. You can configure IDM to recalculate a user's roles dynamically, with each request, instead of only when the user reauthenticates. To enable this feature, set enableDynamicRoles
to true
in the JWT_SESSION
session module in authentication.json
:
To enable dynamic role calculation through the Admin UI, select Configure > Authentication > Session > Enable Dynamic Roles.
Dynamic role calculation can be used independently of the privileges mechanism, but is required for privileges to work. For more information about privileges, see "Privileges and Delegation to Restrict Administrative Access".
Roles, Authentication, and the Security Context
The Security Context (context.security
), consists of a principal (defined by the authenticationId
property) and an access control element (defined by the authorization
property).
If authentication is successful, the authentication framework sets the principal. IDM stores that principal as the authenticationId
.
The authorization
property includes an id
, an array of roles
, and a component
, that specifies the resource against which authorization is validated.