Role-Specific Attribute Based Access Control at client level

This section helps admin step-up Role-Specific Attribute Based Access Control at client level for user, in order for them to perform tasks as per the privileged assigned to a role.

1. Use Case

At the role level we have attributes, these role attributes are used to render the few functions in the target applications.

1. Prerequisites

• The roles need to be at the client level for requesting the role at registration time.

• The role need to have at least one sub role (i.e composite role)

• If role attributes are creating, mapper need to create for that attribute, to those attributes in the token

• Based upon the role attributes and role, target application need to render

• SMTP email configuration need to be configured

1. Configuration

   1. Create a client at realm, for example here iventura-chart client is created

   2. Client iventura-chart is having few role like below

1. Along with those roles, admin role need to be created. For that role create an attribute adminEmail . If registration is happening at this client level, the configured admin email will get notified.

1. Then select the roles and create attributes for that role like below. Here attributes are added for the DATA_ADMIN role.

1. Create a mapper to add the attributes in the token. For that go for client (iventura-chart) and client scopes -> iventura-chart-dedicated.

1. Then click on configure an new mapper as shown below
2. One model will appear, then select client role attribute from those
3. Fill ip the fields like below, here Token Claim Name need to configure exactly like here how configured ${client_id}.${role_name}.attributes.${attribute_name}

1. How many attributes are there that many mappers need to create like below
2. At last go to the authentication section, then to required actions tab, switch on the client role request like below.