Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12395

Make the policy (IPrivilege class), Realm,Script name available to the ScriptedCondition (all Scripts)

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 13.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 6.5.0.1, 6.0.0.7, 6.5.1, 6.5.0.2, 6.5.2, 6.5.2.1, 6.5.2.2, 6.5.2.3, 5.5.2, 5.0
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      Environment:
      OpenAM 5.5.1
      OpenDJ 5.5.0
      OpenIG 5.5.0
    • Target Version/s:
    • Support Ticket IDs:

      Description

      issue background:

      Make the policy name (i.e. com.sun.identity.entitlement.IPrivilege getName() value) available to the org.forgerock.openam.entitlement.conditions.environment.ScritedCondition. We need it to maximize reuse of our policy condition script, where we inspect specific ldap attributes based on the policy. This may be an easy change since you can include the policy's name as part of the environment variable or it could be add it to the PrivilegeEvaluatorContext. Please see com.sun.identity.entitlement.PrivilegeEvaluator, line 419, you can potentially add the following:
      parent.envParameters.put("PolicyName", new HashSet<String>() add(eval.getName()););

       

      business reason:

      Client have a hybrid ABAC/RBAC model, where the client need to support the ability to explicitly deny or allow access to a resource, and client would like to use a single script rather than one per policy. We could use the resourceURI's path but client would like to encapsulate that under the policy name to facilitate maintenance.

      For example:
      Script:

      authorized=false;
      var policyName = "somePolicyName; // This should be the OpenAM policy name

      var deniedEntitlements = identity.getAttribute("us-denied-entitlements");
      if (findItem(deniedEntitlements, policyName)) {
      authorized = false;
      }

      var roles = identity.getAttribute("us-roles");
      if (findItem(roles, "SomeRole")) {
      authorized = true;
      }

      function findItem(target, itemToFind) {
      var found = false;
      for (var i = 0; i < target.length && !found; i++) {
      if (target[i] === itemToFind) {
      found = true;
      break;
      }
      }
      return found;
      }

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jobby.thomas Jobby Thomas
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: