Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14077

Separation of admin. duties via Amster integration with Open Policy Agent

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Won't Do
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Amster, CLI

      Description

      It would be useful to have a separation of adminstrative privileges over AM via Amster CLI. The purposed solution works by integrating Amster with Open Policy Agent, thus allowing authenticated amster commands to be authorized or not based on a rego policy file defined in OPA. This can be easily performed via OpenID Connect JWT tokens, and maybe also via SSOTokens. 

      This way you have absolute fine grained control over who can perform every single administrative action over AM.

      The ultimate enhancement would be to limit AM's web console via OPA too. So if a user has "Policy Administration" privileges he/she would only see "Policy Administration" components in the user interface. (e.g. https://youtu.be/XEHeexPpgrA?t=483)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              gramosv Guillermo Ramos Valverde [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: