Rights
Definition
A Right is the security unit that can be granted to an Identity. The Right will be granted through Roles.
A Right is described by:
a name
a category
a security scope
Rights can be split into several categories:
Category | Type | Prefix | Description | Include in JWT token |
|---|---|---|---|---|
Authentication | System | auth | Builtin rights dedicated to managing authentication methods, managed internally. |
|
System | System | sys | Builtin rights used to give access to Memority functionalities |
|
Application | Access | app | Configured rights used to give access to applications. Classic terminology is "access rights", and they are largely used for provisioning only. The "applications" are typically those created as managed resources inside of Memority (although not compulsory). |
|
Asset | Access | asset | Configured rights used to give access to assets (such as mobile phones, external APIs...). The "assets" are typically those created as managed resources inside of Memority (although not compulsory). |
|
Feature | Access | feat | Semi-configured rights used to give access to Features. Those rights are automatically created when new Features are configured. They are used in low-level access control. |
|
Administration | Access | adm | Configured rights used to give access to non builtin functionalities in Memority . Those rights would typically serve in the definition of Feature Access Policies. Beware that granting too many "adm" rights can lead to issues with the JWT token, when it grows too large. Consider using User rights instead, if applicable (see below) |
|
User | Access | user | Configured rights used to give access to external functionalities or to perform access control in high level Memority functions through checks in Rules. |
|
Built-in Rights vs. Configured Rights
In Memority we distinguish between builtin (system) and configured (access) Rights.
Builtin Rights
Builtin Rights are internal and static, and are used to perform access control on core Memority operations (such as creating attribute definitions, updating objects, etc.).
Configured Rights
Configured Rights are mutable and must be managed independently, they declare Rights either for configurable features of Memority or for external needs (rights on provisioning targets typically).
Configuration
You can access the Rights configuration :
by clicking on "Rights"
by clicking on "System" β "Configurations" and perform an import/export.
Global properties
Domain | Code |
|---|---|
Version and encoding : Each Right starts by announcing the version and encoding. |
CODE
|
DataSet : Each Right starts by announcing the DataSet. | |
Right : Each Right has the following configuration to describe it. |
Configuration
Properties
Property name | Type | Mandatory | Description | Values | Modifiable after creation |
|---|---|---|---|---|---|
id |
| YES | The id is the unique identifier of each Right. It is case sensitive and no special characters (except - or _) are allowed. | - | NO |
category |
| YES | Allows to choose the category of the Right. | SYSTEM, APPLICATION, ASSET, FEATURE, ADMINISTRATION | NO |
scope |
| YES | Allows to choose the scope of the Right. | GLOBAL, RESOURCE | NO |
description |
| NO | Allows to describe the purpose of the Right. | - | YES |
Example
<ctdidm:Right id="adm.right2">
<category>ADMINISTRATION</category>
<scope>GLOBAL</scope>
<description>Right to Access 1</description>
</ctdidm:Right>Dimensions
Properties
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
key |
| YES | The unique key of each dimension. | - |
type |
| YES | The type of the dimension. | STRING, BOOLEAN, FLOAT, INTEGER, IDENTITY_REF, ORGANIZATION_REF, RESOURCE_REF, ROLE_REF, ROLE_PUBLICATION_REF |
order |
| NO | Indicates the display order of dimensions. If two dimensions have the same priority, a random display is executed. | 0, 1, 2, 3, 4... |
forManualProvisioning |
| NO | Allows to define if the dimension is required as manual provisioning. | true, false |
multivalued |
| NO | Indicates if the dimension can have several values. | true, false |
mandatory |
| NO | Indicates if the dimension is mandatory when assigning the Role. | true, false |
validationRules |
| NO | Allows to create a validation rule for the value of the dimension and to associate an error message. | - |
normalizationRules |
| NO | Allows to normalize data and therefore to modify the entered value of the dimension if it does not correspond to the rule. It is possible to configure several normalize rules. | - |
choicesRule |
| NO | Allows to create a choices list to define the value of the dimension by using:
Only if the value type = STRING | - |
initializationRules |
| NO | Allows to define a dimension value, which will be displayed when the requester accesses the role assignment. | - |
displayCondition | - | NO | Allows to define when the dimension will be displayed or not. Available contexts:
| - |
tags |
| NO | Allows to define tag(s) on each dimension. | - |
detail |
| NO | Allows to define if the dimension should be displayed in the Role Dashboard. | true, false |
Example
<dimensions>
<dimension>
<key>dim1</key>
<type>STRING</type>
<order>0</order>
<forManualProvisioning>false</forManualProvisioning>
<multivalued>false</multivalued>
<mandatory>false</mandatory>
<validationRules/>
<normalizeRules/>
<choicesRule class="choicesReferenceTable">
<config xsi:type="ctdrule:ReferenceTableChoicesConfigurationType">
<referenceTableId>access-adp-profiles</referenceTableId>
<columnIndex>0</columnIndex>
<i18nPrefix>ui.model.dimension.adp.profile.values</i18nPrefix>
</config>
</choicesRule>
<tags/>
<detail>true</detail>
</dimension>
</dimensions>Target and Privilege Mappings
A Role defines a set of Rights that will be automatically granted to Identities.
The following conditions are expected to be valid:
the bound right Target
Privilege
Dimensions
The Target Mapping is a mapping used to computed the target on the Right. Only required for RESOURCE scoped rights.
The Privilege Mapping is a mapping expression used to computed the privilege on the Right. Only required for Rights that expect a privilege.
Properties - Value Type
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
targetMapping or privilegeMapping | - | NO | - | |
type |
| YES | Allows to define the type of the mapping. | VALUE |
value |
| YES | Explicitly indicate the dimension value. | *, id of the feature etc... |
Example
<targetMapping>
<type>VALUE</type>
<value>*</value>
</targetMapping>
<targetMapping>
<type>VALUE</type>
<value>LDAP%GROUPLDAP</value>
</targetMapping>Properties - Direct type
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
targetMapping or privilegeMapping | - | NO | - | |
type |
| YES | Allows to define the type of the mapping. | DIRECT |
rightDimensionId |
| YES | Explicitly indicate the dimension name. | - |
Example
<targetMapping>
<type>DIRECT</type>
<rightDimensionId>target</rightDimensionId>
</targetMapping>Properties - Expression type
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
targetMapping or privilegeMapping | - | NO | - | |
type |
| YES | Allows to define the type of the mapping. | EXPRESSION |
rule |
| YES | Explicitly indicate the Groovy rule. | |
rightDimensionId |
| YES | Explicitly indicate the dimension name. | - |
Example
<privilegeMapping>
<type>EXPRESSION</type>
<rule>
<script><![CDATA[
return "${DIMENSION.sourceDimensions["GroupName"]}"
]]></script>
</rule>
<rightDimensionId>privilege</rightDimensionId>
</privilegeMapping>Properties - None type
Property name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
targetMapping or privilegeMapping | - | NO | - | |
type |
| YES | Allows to define the type of the mapping. Considered as "exposed". | NONE |
Example
<targetMapping>
<type>NONE</type>
</targetMapping>