How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I restrict the managed/user attributes that are returned via REST in IDM (All versions)?

Last updated Apr 8, 2021

The purpose of this article is to provide information on restricting the managed/user attributes that are returned from a REST query based on the user making the request in IDM. This means you can control the information contained in the response according to who the user is or what role they have.


Restricting the managed/user attributes returned via REST

You can restrict which managed/user attributes are returned by adding a router filter to the router.json file (located in the /path/to/idm/conf directory). You can do this based on either the role associated with a user or a specific user ID.

The following examples show a simple restriction, which prevents a single field being returned in the query response. You can, however, add as much conditional logic as you want to restrict fields and include multiple restricted fields providing it is valid JavaScript®. If you intend to include multiple constraints, you should consider including them in a file and just reference the file in the router.json file instead.

Role

The following example demonstrates what should be added to the router.json file to remove the description field from the response for users without the internal/role/openidm-authorized role:

{            "pattern" : "managed/user/.*",             "onResponse" : {                 "type" : "text/javascript",                 "source" : "if (context.security.authorizationId.roles.indexOf(\"internal/role/openidm-authorized\") === -1) { delete response.description; }"             }         },

This filter means that users with the internal/role/openidm-authorized role will see the description field in their query response. Users who do not have this role will not see this attribute as it will be deleted.

In pre-IDM 6.5, you do not need to include the full path; you can just refer to the role name, for example, openidm-authorized.

User ID

The following example demonstrates what should be added to the router.json file to remove the description field from the response for the user jdoe:

{            "pattern" : "managed/user/.*",             "onResponse" : {                 "type" : "text/javascript",                 "source" : "if (context.security.authenticationId === \"jdoe\") { delete response.description; }"             }         },

This filter means all other users will see the description field in the query response, but jdoe will not since it will be deleted from the response.

Including a file

The following example demonstrates what should be added to the router.json file to reference a file:

{            "pattern" : "managed/user/.*",             "onResponse" : {                 "type" : "text/javascript",                 "file" : "script/restrictAttributes.js"             }         },

Where the conditional logic to restrict fields is included in the restrictAttributes.js file.

See Also

How do I search managed user objects for attributes stored in arrays in IDM (All versions)?

FAQ: Scripts in IDM

FAQ: REST API in IDM

Using the REST API in IDM

Scripting Guide › Router Configuration

Scripting Guide › router.json

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.