Versions Compared

Old Version 1

changes.mady.by.user Kim Rasmussen (Unlicensed)

Saved on

compared with

New Version 2

changes.mady.by.user Kim Rasmussen (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

With ABAC, the customers access might depend upon which account he transfers from, what account he transfers to and what amount he is transferring - it might even depend on his daily limit so it depends on previous actions during the day

DataPolicyEntry: ScriptAuthorization

Below, is a small example of configuration for the Config Based Authorization Plugin where it is configured with a small ACL - this adds a DataPolicyEntry instance, namely the ScriptAuthorization to the ACL.

Code Block
<property name="acl.1" value="sample;execute=pp_everyone;write=staff,admin" description="Sample ACL definition"/>
<property name="acl.json.1" value="{"expectedaccount": "12345"}" description="Attach policy information to this ACL"/>
<property name="acl.script.1" value="%{script}if (context.hasGroupMembership() && context.user.getStateVariable('account') == claim.get('expectedaccount'))
    true;
else
    false;" description="Attach a datapolicy script to this ACL"/>

Here, the ACL sample is defined, and everyone has execute access, but only admin and staff roles have write access. 

In addition to the role checking, this script has both a JSON document with policy data information, and a script attached. The script is executed when the policy is evaluated.

The script is called with two variables initialized; context which is in instance of the ScriptContext object, and claim which can get individual attributes out of the attached JSON policy data context object.

This is the object that the script has access to, it must return true, false or null depending if it grants, denies or abstains from granting access.

Code Block
titleScriptContext
public class ScriptContext {
	public static final String RESULT_DENIED = "true";
	public static final String RESULT_GRANTED = "false";
	public static final String RESULT_ABSTAIN = "null";
	
	/** Agent instance */
	public IAgent agent;
	/** Session ID */
	public String id;
	/** Data Context */
	public IDataContext context;
	/** ACL entry */
	public ACLEntry ae;
	/** Data Policy Entry */
	public DataPolicyEntry dpe;
	/** Permission Entry */
	public PermissionEntry pe;
	/** Group name */
	public String group;
	/** Data */
	public Object data;

	public boolean hasGroupMembership() throws PTException {
		return agent.isMemberOfGroup(id, group);
	}
}