Update fine-grain.adoc

Observed a few changes, suggesting the same. Kindly check.
This commit is contained in:
PoojaChandak 2020-08-23 13:16:02 +05:30 committed by Stian Thorgersen
parent 865dd55f04
commit 43dbad7cfc

View file

@ -14,13 +14,13 @@ and assign restricted access policies for managing a realm. Things like:
* Managing users that belong to a specific group * Managing users that belong to a specific group
* Managing membership of a group * Managing membership of a group
* Limited user management. * Limited user management.
* Fine grain impersonization control * Fine grain impersonation control
* Being able to assign a specific restricted set of roles to users. * Being able to assign a specific restricted set of roles to users.
* Being able to assign a specific restricted set of roles to a composite role. * Being able to assign a specific restricted set of roles to a composite role.
* Being able to assign a specific restricted set of roles to a client's scope. * Being able to assign a specific restricted set of roles to a client's scope.
* New general policies for viewing and managing users, groups, roles, and clients. * New general policies for viewing and managing users, groups, roles, and clients.
There's some important things to note about fine grain admin permissions: There are some important things to note about fine grain admin permissions:
* Fine grain admin permissions were implemented on top of link:{authorizationguide_link}[Authorization Services]. It is highly recommended that you read up on those features before diving into fine grain permissions. * Fine grain admin permissions were implemented on top of link:{authorizationguide_link}[Authorization Services]. It is highly recommended that you read up on those features before diving into fine grain permissions.
* Fine grain permissions are only available within <<_per_realm_admin_permissions, dedicated admin consoles>> and admins defined within those realms. You cannot define cross-realm fine grain permissions. * Fine grain permissions are only available within <<_per_realm_admin_permissions, dedicated admin consoles>> and admins defined within those realms. You cannot define cross-realm fine grain permissions.
@ -30,8 +30,8 @@ There's some important things to note about fine grain admin permissions:
==== Managing One Specific Client ==== Managing One Specific Client
Let's look first at allowing Let's look first at allowing
an admin to manage one client and one client only. In our example we have a realm an admin to manage one client and one client only. In our example, we have a realm
called `test` and a client called `sales-application`. In realm `test` we will give a called `test` and a client called `sales-application`. In the realm `test` we will give a
user in that realm permission to only manage that application. user in that realm permission to only manage that application.
IMPORTANT: You cannot do cross realm fine grain permissions. Admins in the `master` realm are limited to the predefined admin roles defined in previous chapters. IMPORTANT: You cannot do cross realm fine grain permissions. Admins in the `master` realm are limited to the predefined admin roles defined in previous chapters.
@ -39,7 +39,7 @@ IMPORTANT: You cannot do cross realm fine grain permissions. Admins in the `mas
===== Permission Setup ===== Permission Setup
The first thing we must do is login to the Admin Console so we can set up permissions for that client. We navigate to the management section The first thing we must do is login to the Admin Console so we can set up permissions for that client. We navigate to the management section
of the client we want to define fine-grain permissions for. of the client, we want to define fine-grain permissions for.
.Client Management .Client Management
image:{project_images}/fine-grain-client.png[] image:{project_images}/fine-grain-client.png[]
@ -77,7 +77,7 @@ rules in JavaScript. For this simple example, we're going to create a `User Pol
.User Policy .User Policy
image:{project_images}/fine-grain-client-user-policy.png[] image:{project_images}/fine-grain-client-user-policy.png[]
This policy will match a hard-coded user in the user database. In this case it is the `sales-admin` user. We must then go back to the This policy will match a hard-coded user in the user database. In this case, it is the `sales-admin` user. We must then go back to the
`sales-application` client's `manage` permission page and assign the policy to the permission object. `sales-application` client's `manage` permission page and assign the policy to the permission object.
.Assign User Policy .Assign User Policy
@ -100,7 +100,7 @@ IMPORTANT If you do not set the `query-clients` role, restricted admins like `sa
===== Testing It Out. ===== Testing It Out.
Next we log out of the master realm and re-login to the <<_per_realm_admin_permissions, dedicated admin console>> for the `test` realm Next, we log out of the master realm and re-login to the <<_per_realm_admin_permissions, dedicated admin console>> for the `test` realm
using the `sales-admin` as a username. This is located under `/auth/admin/test/console`. using the `sales-admin` as a username. This is located under `/auth/admin/test/console`.
.Sales Admin Login .Sales Admin Login
@ -110,9 +110,9 @@ This admin is now able to manage this one client.
==== Restrict User Role Mapping ==== Restrict User Role Mapping
Another thing you might want to do is to restrict the set a roles an admin is allowed Another thing you might want to do is to restrict the set roles an admin is allowed
to assign to a user. Continuing our last example, let's expand the permission set of the 'sales-admin' to assign to a user. Continuing our last example, let's expand the permission set of the 'sales-admin'
user so that he can also control which users are allowed to access this application. Through fine grain permissions we can user so that he can also control which users are allowed to access this application. Through fine grain permissions, we can
enable it so that the `sales-admin` can only assign roles that grant specific access to enable it so that the `sales-admin` can only assign roles that grant specific access to
the `sales-application`. We can also restrict it so that the admin can only map roles the `sales-application`. We can also restrict it so that the admin can only map roles
and not perform any other types of user administration. and not perform any other types of user administration.
@ -164,12 +164,12 @@ image:{project_images}/fine-grain-add-view-users.png[]
===== Testing It Out. ===== Testing It Out.
Next we log out of the master realm and re-login to the <<_per_realm_admin_permissions, dedicated admin console>> for the `test` realm Next, we log out of the master realm and re-login to the <<_per_realm_admin_permissions, dedicated admin console>> for the `test` realm
using the `sales-admin` as a username. This is located under `/auth/admin/test/console`. using the `sales-admin` as a username. This is located under `/auth/admin/test/console`.
You will see that now the `sales-admin` can view users in the system. If you select one of the You will see that now the `sales-admin` can view users in the system. If you select one of the
users you'll see that each user detail page is read only, except for the `Role Mappings` tab. users you'll see that each user detail page is read only, except for the `Role Mappings` tab.
Going to these tab you'll find that there are no `Available` roles for the admin to Going to this tab you'll find that there are no `Available` roles for the admin to
map to the user except when we browse the `sales-application` roles. map to the user except when we browse the `sales-application` roles.
.Add viewLeads .Add viewLeads
@ -187,7 +187,7 @@ by a client. If we log back into the admin console to our master realm admin an
.Client map-roles Permission .Client map-roles Permission
image:{project_images}/fine-grain-client-permissions-tab-on.png[] image:{project_images}/fine-grain-client-permissions-tab-on.png[]
If you grant access to this particular parmission to an admin, that admin will be able If you grant access to this particular permission to an admin, that admin will be able
map any role defined by the client. map any role defined by the client.
==== Full List of Permissions ==== Full List of Permissions
@ -208,7 +208,7 @@ map-role::
role mapping permissions. See <<_users-permissions, Users Permissions>> for more information. role mapping permissions. See <<_users-permissions, Users Permissions>> for more information.
map-role-composite:: map-role-composite::
Policies that decide if an admin can map this role as a composite to another role. Policies that decide if an admin can map this role as a composite to another role.
An admin can define roles for a client if he has manage permissions for that client An admin can define roles for a client if he has to manage permissions for that client
but he will not be able to add composites to those roles unless he has the but he will not be able to add composites to those roles unless he has the
`map-role-composite` privileges for the role he wants to add as a composite. `map-role-composite` privileges for the role he wants to add as a composite.
map-role-client-scope:: map-role-client-scope::
@ -226,18 +226,18 @@ view::
Policies that decide if an admin can view the client's configuration. Policies that decide if an admin can view the client's configuration.
manage:: manage::
Policies that decide if an admin can view and manage the client's configuration. Policies that decide if an admin can view and manage the client's configuration.
There is some issues with this in that privileges could be leaked unintentionally. There are some issues with this in that privileges could be leaked unintentionally.
For example, the admin could define a protocol mapper that hardcoded a role For example, the admin could define a protocol mapper that hardcoded a role
even if the admin does not have privileges to map the role to the client's scope. even if the admin does not have privileges to map the role to the client's scope.
This is currently the limitation of protocol mappers as they don't have a way This is currently the limitation of protocol mappers as they don't have a way
to assign individual permissions to them like roles do. to assign individual permissions to them like roles do.
configure:: configure::
Reduced set of prileges to manage the client. Its like the `manage` scope except Reduced set of privileges to manage the client. It is like the `manage` scope except
the admin is not allowed to define protocol mappers, change the client template, the admin is not allowed to define protocol mappers, change the client template,
or the client's scope. or the client's scope.
map-roles:: map-roles::
Policies that decide if an admin can map any role defined by the client to a user. Policies that decide if an admin can map any role defined by the client to a user.
This is a shortcut, easy-of-use feature to avoid having to defin policies This is a shortcut, easy-of-use feature to avoid having to define policies
for each and every role defined by the client. for each and every role defined by the client.
map-roles-composite:: map-roles-composite::
Policies that decide if an admin can map any role defined by the client Policies that decide if an admin can map any role defined by the client
@ -260,7 +260,7 @@ view::
Policies that decide if an admin can view all users in the realm. Policies that decide if an admin can view all users in the realm.
manage:: manage::
Policies that decide if an admin can manage all users in the realm. This Policies that decide if an admin can manage all users in the realm. This
permission grants the admin the privilege to perfor user role mappings, but permission grants the admin the privilege to perform user role mappings, but
it does not specify which roles the admin is allowed to map. You'll need to it does not specify which roles the admin is allowed to map. You'll need to
define the privilege for each role you want the admin to be able to map. define the privilege for each role you want the admin to be able to map.
map-roles:: map-roles::
@ -302,29 +302,3 @@ manage-membership::
remove members from the group. remove members from the group.