search

4.23 Role-Specific Attribute Based Access Control at client level

This section helps admin step-up Role-Specific Attribute Based Access Control at client level for user, in order for them to perform tasks as per the privileged assigned to a role.

  1. hashtag
    Use Case

At the role level we have attributes, these role attributes are used to render the few functions in the target applications.

  1. Prerequisites

  • The roles need to be at the client level for requesting the role at registration time.

  • The role need to have at least one sub role (i.e composite role)

  • If role attributes are creating, mapper need to create for that attribute, to those attributes in the token

  • Based upon the role attributes and role, target application need to render

  • SMTP email configuration need to be configured

  1. Configuration

    1. Create a client at realm, for example here iventura-chart client is created

    2. Client iventura-chart is having few role like below

Fig 4.22.a: Client roles

  1. Along with those roles, admin role need to be created. For that role create an attribute adminEmail . If registration is happening at this client level, the configured admin email will get notified.

Fig 4.22.b: Admin Role attribute

  1. Then select the roles and create attributes for that role like below. Here attributes are added for the DATA_ADMIN role.

Fig 4.22.c: Data admin role attributes

  1. Create a mapper to add the attributes in the token. For that go for client (iventura-chart) and client scopes -> iventura-chart-dedicated.

Fig 4.22.d: Navigating to Client scopes under client

  1. Then click on configure an new mapper as shown below

    Fig 4.22.e: Configure a new mapper

  2. One model will appear, then select client role attribute from those

    Fig 4.22.f: Select mapper to configure

  3. Fill ip the fields like below, here Token Claim Name need to configure exactly like here how configured ${client_id}.${role_name}.attributes.${attribute_name}

Fig 4.22.g: Mapper configuration

  1. How many attributes are there that many mappers need to create like below

    Fig 4.22.h: List of custom attributes

  2. At last go to the authentication section, then to required actions tab, switch on the client role request like below.

    Fig 4.22.i: Navigate to Authentication section in side bar, and required actions

Previous4.22 Setup Archive Inactive User featureNext4.24 Self-Role Request at the Business Level

Last updated