How do I customize authorization rules for http requests in IDM 6.x?

Overview

Authorization rules for http requests are derived from the access.js and router-authz.js files (located in the /path/to/idm/script and /path/to/idm/bin/defaults/script directories respectively). These two files are used together to validate inbound REST requests and determine if the user has access.

• access.js allows you to specify authorization rules for each http request, where the configurations for each http request follow a set format:
  • pattern - resource requested, for example, managed/user. You can also use "*" to indicate all patterns are allowed.
  • roles - role of requesting user, for example, internal/role/openidm-authorized. In IDM 6, you do not need to include the full path; you can just refer to the role name, for example, openidm-authorized
  • methods - comma separated list of methods to which access is being granted (for example, create, read, patch etc.) You can also use "*" to indicate all methods are allowed or "" to indicate no methods are allowed.
  • actions - comma separated list of allowed actions. The possible values depend on the URL being exposed as detailed in Understanding the Access Configuration Script (access.js). You can also use "*" to indicate all actions are allowed or "" to indicate no actions are allowed.
  • customAuthz (optional) - reference to function names of scripts contained within router-authz.js.
  • excludePatterns (optional) - resources to which access is not permitted.

The access.js file format is described in more detail in Understanding the Access Configuration Script (access.js).

• router-authz.js contains a set of functions, where each function must return a boolean value. These scripts all have access to the openidm.[method]() functionality along with the request, config and context variables, which all contain useful information.

The router-authz.js file is described in more detail in Understanding the Router Authorization Script (router-authz.js); further information on openidm.[method]() calls can be found in Function Reference.

Customizing authorization rules for http requests

You can update and add entries to access.js to provide simple authorization rules, such as restricting certain actions to a given role. For greater control, you can combine this with calls to an appropriate function (or functions) written within the router-authz.js file to provide context-based authorization rules.

Additionally, if you add new roles or custom http requests to IDM, you should configure the appropriate access by updating access.js to include the new roles and/or custom http requests.

Example 1

The info http request in IDM (which provides detailed information about a running IDM instance) is configured by default to be accessible to all roles:

You could change this so it is only accessible to users assigned the internal/role/openidm-admin role by updating this as follows:

Example 2

If you had a new custom http request that you wanted to be accessible to users assigned a new role or the existing internal/role/openidm-cert role, you would add something similar to the following to access.js:

See Also

How does IDM (All versions) use anonymous access?

Roles and Authentication

Working With Managed Roles

Authorization

Related Training

ForgeRock Identity Management Deep Dive (IDM-420)

Related Issue Tracker IDs

N/A