[midPoint] roles, objects and permissions in midPoint

Radovan Semancik radovan.semancik at evolveum.com
Mon Apr 13 08:41:20 CEST 2015 

Hi,

The crucial issue here is that midPoint is not an authorization server. 
MidPoint is a provisioning system. Therefore the primary goal of roles 
in midPoint is to manage access control mechanisms in other system (e.g. 
LDAP groups, SAP roles, etc.) MidPoint is NOT designed to make access 
control decisions for other systems.

Side note: midPoint is not designed to make access control decisions for 
other systems. But it is designed to make access control decisions for 
its own data structures. And it does that well. Which perhaps caused 
this confusion. And this brings a simple answer to your first question: 
Object in midPoint is in fact any midPoint object (resource, role, org, 
user, etc.). But it has to be a midPoint object. It cannot be external 
object. It also does not make much sense for midPoint to act as an 
authorization server for other systems directly. Provisioning systems 
are quite complex and therefore they have performance limits. It is bast 
to keep provisioning systems to do what they does best: manage data. And 
let other systems to store, replicate and provide the data. E.g. 
directory servers.

If you want to make access control decisions for other systems that you 
need to add authorization server to your IAM solution (see 
https://wiki.evolveum.com/display/midPoint/Enterprise+Identity+Management). 
If your case is simple then any LDAP server could play this role. Just 
express the authorization statements in an LDAP attribute, e.g. in a form:

dn: uid=foo,ou=people,dc=example,dc=com
...
myAutz: server1:read:data
myAutz: server1:modify:report
myAutz: server2:read:report

In this simple case your applications can act as policy enforcement 
points. E.g. they will check the value of myAutz attribute and decide if 
the user is authorized or not. And midPoint can manage this attribute. 
E.g. there may be a midPoint role "Report administrator" that will set 
value "*:modify:report" to the myAutz attribute.

The LDAP directory will add performance and reliability to the solution. 
MidPoint will add manageability (e.g. who has permission to assign 
"Report administrator" role? and to whom? for how long? who has to 
approve?). This is the usual way IAM systems are built. Simple, but 
efficient.

If you need something more complex then your best chance is to look for 
a fully-blown authorization system and add that to the solution as well. 
E.g. Apache Fortress might be a good choice:
https://directory.apache.org/fortress/

-- 

                                            Radovan Semancik
                                           Software Architect
                                              evolveum.com



On 04/10/2015 04:37 PM, Oleksandr Bodriagov (Polystar) wrote:
>
> Hi,
>
>
> I have a question about roles, permissions, and objects in midPoint. 
> According to NIST, “a role is essentially a collection of 
> permissions”, and permissions are relationships between operations and 
> objects. MidPoint gives ability to define users, roles, and resources. 
> It is not clear though how to define objects.
>
> Our use case is as follows. We have a few RESTful web services to 
> which we would like to control access using midpoint and our own 
> access control server. Our permissions in this case would be something 
> like:
>
>   - read data from https://server1.com/whateever
>
>   - modify report at https://server2.com/profile/whatever
>
>   - read report at https://server2.com/profile/whatever
>
> So, we have operations {read, modify, delete, …} and objects 
> {https://server1.com/whateever, https://server2.com/profile/whatever, 
> …}. We do not want midpoint to retrieve any information out of server1 
> or server2 whatsoever. Let’s say that server1 and serever2 contain 
> only financial information.  Our access control server receives a 
> question if a user is allowed to perform some operation over some 
> object. To answer this question the server should get user's 
> permissions from midPoint using its REST API. We have setup a midPoint 
> server with an embedded database. We have added users and roles, but 
> we have no idea how to add our objects (simple URLs).  There is a 
> notion of Resource in midPoint. It seems that resources are only used 
> for propagation of users and roles from external databases or 
> directories. Consequently, resource is not the same as RBAC object.
>
>
> How should RBAC permission and objects be defined? Thank you in 
> advance for your help.
>
>
> Best regards,
>
> Alex
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150413/f2f41ef4/attachment.htm>

More information about the midPoint mailing list