4.22 Role-Specific Attribute Based Access Control at client level
This section helps admin step-up Role-Specific Attribute Based Access Control at client level for user, in order for them to perform tasks as per the privileged assigned to a role.
At the role level we have attributes, these role attributes are used to render the few functions in the target applications.
Prerequisites
The roles need to be at the client level for requesting the role at registration time.
The role need to have at least one sub role (i.e composite role)
If role attributes are creating, mapper need to create for that attribute, to those attributes in the token
Based upon the role attributes and role, target application need to render
SMTP email configuration need to be configured
Configuration
Create a client at realm, for example here iventura-chart client is created
Client iventura-chart is having few role like below
Along with those roles, admin role need to be created. For that role create an attribute adminEmail . If registration is happening at this client level, the configured admin email will get notified.
Then select the roles and create attributes for that role like below. Here attributes are added for the DATA_ADMIN role.
Create a mapper to add the attributes in the token. For that go for client (iventura-chart) and client scopes -> iventura-chart-dedicated.
Then click on configure an new mapper as shown below
Fig 4.22.e: Configure a new mapper One model will appear, then select client role attribute from those
Fig 4.22.f: Select mapper to configure Fill ip the fields like below, here Token Claim Name need to configure exactly like here how configured ${client_id}.${role_name}.attributes.${attribute_name}
How many attributes are there that many mappers need to create like below
Fig 4.22.h: List of custom attributes At last go to the authentication section, then to required actions tab, switch on the client role request like below.
Fig 4.22.i: Navigate to Authentication section in side bar, and required actions
Last updated