Role-based access control¶
Onegini Customer Service allows granular access control to user fields and actions. This functionality does not override the USERS_ALL group,
but creates the ability to create new groups with granular permissions. A user can be a member of multiple groups, and if one of those is
USERS_ALL, then all access to users is granted.
Assigning users to groups¶
Assigning users to groups is discussed in the SAML and LDAP chapters.
Assigning permissions to groups¶
To assign permissions to groups, the following environment variables can be configured:
| Property | Example | Description |
|---|---|---|
| AUTHZ_ROLEPERMITSONUSER_customgroup_ACTIONS | BLOCK,UNBLOCK | Actions that users in customgroup are allowed to perform. |
| AUTHZ_ROLEPERMITSONUSER_customgroup_FIELDS_CREATE | CUSTOM_ATTRIBUTE.custom1,CUSTOM_ATTRIBUTE.custom2 | Fields that users in customgroup are allowed to create |
| AUTHZ_ROLEPERMITSONUSER_customgroup_FIELDS_READ | EMAIL_ADDRESS,CUSTOM_ATTRIBUTE.custom1 | Fields that users in customgroup are allowed to read |
| AUTHZ_ROLEPERMITSONUSER_customgroup_FIELDS_UPDATE | EMAIL_ADDRESS,CUSTOM_ATTRIBUTE.custom1 | Fields that users in customgroup are allowed to update |
| AUTHZ_ROLEPERMITSONUSER_customgroup_FIELDS_DELETE | CUSTOM_ATTRIBUTE.custom1,CUSTOM_ATTRIBUTE.custom2 | Fields that users in customgroup are allowed to delete |
All properties are multivalue properties. Separate values with a comma.
Action permissions¶
The following action permissions can be granted:
- CREATE
- INVITE
- BLOCK
- UNBLOCK
- RESET_PASSWORD
- DELETE_USER
- DECOUPLE_IDENTITY
- RESEND_EMAIL_VERIFICATION
- DELETE_DEVICE
- VERIFY_DEVICE
Field permissions¶
The following field permissions can be granted:
- EMAIL_ADDRESS: read and update
- PHONE_NUMBER: read and update
- DATE_OF_BIRTH: read and update
- DISPLAY_NAME: only read
- PREFERRED_LOCALE: only read
- GENDER: only read
- ADDRESSES: only read
- EXTERNAL_ATTRIBUTES (all external attributes): only read
Custom attributes¶
Custom attributes can be granted the full gamut of Create, Read, Update and Delete permissions. To grant the permissions, prefix the
custom attribute name with CUSTOM_ATTRIBUTE. before adding them to the list. So to grant create permission to the custom1 custom
attribute, you'd add CUSTOM_ATTRIBUTE.custom1 to the AUTHZ_ROLEPERMITSONUSER_customgroup_FIELDS_CREATE list.