13.4.2. access.js

This file defines the access configuration for HTTP requests and references the methods defined in router-authz.js. Each entry in the configuration contains a pattern to match against the incoming request ID, and the associated roles, methods, and actions that are allowed for requests on that pattern.

The following sample configuration entry indicates the configurable parameters and their purpose. 

        {  
            "pattern"   : "*",
            "roles"     : "openidm-admin",
            "methods"   : "*", // default to all methods allowed
            "actions"   : "*", // default to all actions allowed
            "customAuthz" : "disallowQueryExpression()",
            "excludePatterns": "system/*"
        },

The overall intention of this entry is to allow users with the role openidm-admin HTTP access to everything except the system endpoints. The parameters are as follows:

  • "pattern" - the REST endpoint to which access is being controlled. "*" indicates access to all endpoints. "managed/user/*" would indicate access to all managed user objects.

  • "roles" - a comma-separated list of the roles to which this access configuration applies.

  • "methods" - a comma separated list of the methods to which access is being granted. The method can be one or more of create, read, update, delete, patch, action, query. A value of "*" indicates that all methods are allowed. A value of "" indicates that no methods are allowed.

  • "actions" - a comma separated list of the allowed actions. The possible values depend on the service (URL) that is being exposed. The following list indicates the possible actions for each service.

    openidm/managed - patch
    openidm/recon - recon, cancel
    openidm/sync - onCreate, onUpdate, onDelete, recon, performAction
    openidm/external/email - (no action parameter applies)
    openidm/external/rest - (no action parameter applies)
    openidm/authentication - reauthenticate
    openidm/system - createconfiguration
    openidm/system/* - script
    openidm/taskscanner - execute, cancel
    openidm/workflow/processinstance - (no action parameter applies)
    openidm/workflow/taskinstance - claim,complete

    A value of "*" indicates that all actions exposed for that service are allowed. A value of "" indicates that no actions are allowed.

  • "customAuthz" - an optional parameter that enables you to specify a custom function for additional authorization checks. These functions are defined in router-authz.js .

    The allowedPropertiesForManagedUser variable, declared at the beginning of the file, enables you to create a white list of attributes that users may modify on their own accounts.

  • "excludePatterns" - an optional parameter that enables you to specify particular endpoints to which access should not be given.