Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16788

Policy evaluation example uses wrong user

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 6.0.0.7, 6.5.2.3, 5.5.2, 7.0.0
    • 6.5.0, 7.0.0
    • documentation
    • Rank:
      1|i024if:
    • No
    • No
    • No
    • No (add reasons in the comment)

      Description

      In the AM Authorization guide the steps are to to 

       

      1. create privileged user - restPolicyUser
      2. add address to normal user - demo
      3. Create Policy
      4. Evaluate Policy... 

      In the last section where you evaluate policy it says

      “Send an evaluation request to the policies endpoint, using the SSO token of the demo user in the iPlanetDirectoryPro header.
      In the JSON data, set the subject property to also be the SSO token of the demo user.“

      This is not correct, the value sent in the iPlanetDirectoryPro header should be that of a session of the privileged user i.e. restPolicyUser. 

      To fix this, there needs to be an extra step to get a AM SSO Session for restPolicyUser which needs to be the value for iPlanetDirectoryPro header.

      Note: this error came about in the Docs with version 5.5 where Step 1 above switched from giving privileges to the demo user to creating a new user with privileges. Therefore this example is wrong in all the Docs from 5.5, that is, 5.5, 6.0, 6.5, 7.0

       

      https://backstage.forgerock.com/docs/am/7/authorization-guide/scripted-policy-condition.html#sec-scripted-policy-condition-prepare 

      https://backstage.forgerock.com/docs/am/6.5/authorization-guide/#sec-scripted-policy-condition-prepare 

      https://backstage.forgerock.com/docs/am/6/authorization-guide/#sec-scripted-policy-condition-prepare

      https://backstage.forgerock.com/docs/am/5.5/authorization-guide/#sec-scripted-policy-condition-prepare

       

       

       

       

       

       

        Attachments

          Issue Links

            Activity

              People

              cristina.herraz Cristina Herraz [X] (Inactive)
              mark.nienaber@forgerock.com Mark Nienaber
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: