Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Externalized authorization

Externalized authorization

search

Externalized authorization

The Externalized Authorization feature enables you to enforce your business policies uniformly across all your applications.

A business can specify conditions to determine when to give a user access to their products, which means to authorize the user. These conditions form the business policy and can be based on user attributes, product attributes, relationships, user consent, and many other types of information.

Examples of policies

  • "To view a product of type premium, the user must be a paying customer."

  • "To receive monthly newsletters, the user must consent to the use of their email address by company X."

  • "To view a confidential document, the user must be a doctor and the owner of the document must have given their consent."

  • "To update a medical document, the user must be a doctor or a nurse and must have a caring relationship with the subject of the document."

  • To use a smart device, the user must be the owner or have a relationship with the owner."

Applying a business policy consistently within a microservice-based architecture poses some challenges: each individual component must know which user is interacting with it and which authorizations are to be granted. To simplify application design and to make applications independent of policy evolutions, authorization can be performed externally. This ensures consistency between applications, in addition to security and scalability.

Externalized authorization with the OneWelcome Identity Platform

The OneWelcome Identity Platform offers help with externalized authorization by providing an API-based system:

  1. Config API: Define customized policies.

  2. Authorization API: Take policies into account to make authorization decisions.

    Authorization overview

Note

PII protection

All personally identifiable information (PII) is persistently stored in the identity management user repository only. The relationship management APIs do not persistently store any PII. Even though PII can temporarily occur in volatile memory, it is not kept in any database or log of the APIs.

Configuration of policies: Config API

The policies for each tenant can be managed in your relationship management portal.

Information model

The Config API enables tenants to define policies that can be used by the Authorization API to make authorization decisions for the other OneWelcome Identity Platform APIs and for the tenant's applications.

Information model policy configuration

Objects and attributes

Policy name attribute

Each policy must be provided with a name that can be linked to the attempted action by following the naming convention: targetType:action.

  • The most common actions are read, create, update, and delete. The Relationship Management API also makes use of additional actions such as relationships:list.

  • The type of target (resource in the authorization request) can be among others:

    • an ActorType, such as user,
    • a ResourceType, such as pet,
    • a RelationshipType with the from and to types,such as user:is_admin_of:subscription,
    • an Invitation (for a specific type of relationship): {fromType}:{relationshipType}:{toType}:invitation, such as user:is_coadmin_of:subscription:invitation.
Examples of policies
Policy name Example policy content
subscription:read
A user attempts to read a specific subscription.		 Users can only read subscriptions of which they are admin, co-admin, or member.
user:update
A user attempts to change a user attribute, such as their phone number.		 Users can only update their own User attributes.
user:is_member_of:subscription:invitation:create
A user attempts to send (and create) an invitation that invites another user to become a member of a specific subscription.		 Users can only create an invitation for a subscription to which they are directly related as admin or co-admin.
user:is_member_of:subscription:invitation:withdraw
A user attempts to withdraw an invitation.		 Only the inviter of an invitation can withdraw the invitation. An invitation can only be withdrawn as long as it is not yet accepted or rejected.
smart_lock:relationships:list
A user attempts to view a list of all the users linked to a smart lock.		 Users can only read relationships of a smart lock of which they are an administrator or co-administrator.
The Rego attribute and the graphical representation

The policy conditions are specified by using the OPA policy language Rego. The Rego data can be entered directly via the create/update policy endpoint or can be automatically converted from the graphical representation created in the relationship management portal.

Note

After you enter raw Rego data for your policy, the graphical representation in the portal will no longer function. From that point onwards, you can only update the policy directly via the create/update policy endpoint.

Example policy invitation

Example of the graphical representation in the relationship management portal

The above graph represents the action user:is_member_of:subscription:invitation:create. The converted Rego data of this policy can be found below.

Requirements Example
The policy target must be present in the policy. is_member_of
In case of a RelationshipType as policy target, the linked types must be present in the policy. from user to subscription
Each ActorType (generally a user) that is allowed to perform the action must be present as a starting element, optionally restricted by a path of required RelationshipTypes towards other Resources/Actors. The latter can include the policy target.

Make sure to add a separate starting element for each RelationshipType you wish to include. The amount of starting elements is unlimited.		 There are two User starting elements which restrict this action to users with either an is_admin_of or is_coadmin_of Relationships to the target subscription.
Rego example
rego: "

package sandbox_small_pond_c0ec.user.is_member_of.subscription.invitation.create

default outcome = "deny"

outcome = "allow" {
  user_is_admin_of_subscription
}
{
  user_is_coadmin_of_subscription
}

user_is_admin_of_subscription {
 input.graph.subject.is_admin_of[_].subscription.id == input.resource.to.id
 input.graph.subject.type == "user"
    }

user_is_coadmin_of_subscription {
 input.graph.subject.is_coadmin_of[_].subscription.id == input.resource.to.id
 input.graph.subject.type == "user"
     }
"

Executing policies: Authorization API

Note

Tenant admins can perform any action in the Relationship Management API, regardless of the defined policies, when using an access token with the pg:tenant:admin scope.

Information model

The tenant's applications and the APIs can send a request to the Authorization API to execute a policy and thus determine whether a specific action is authorized. The authorization request is based on the XACML specification, which specifies four parts in the request: subject, action, resource, and context. The Authorization API can enrich this input with relationship information (graph) as provided by the Relationship Management API. All above information can be used to determine the authorization decision based on the corresponding policy. The response is an object containing the outcome (generally allow or deny) and optionally other data. If the policy specified in action does not exist, the response is by default deny.

Information model

To make an authorization request, use the following endpoint:

Note

For each of the Relationship Management API endpoints<, a templated authorization request can be found below. This is the information that the latter API provides the Authorization API with to make authorization decisions. It can be used as a guide to customize the associated policies for your tenant.

Endpoints Overview

endpoints overview

On this page