Skip to main content
Version: 8.2411.x.x RR

Functional authorization - nevisIDM roles

Functional authorization checks authorization for an operation and is integrated into the nevisIDM roles. The table lists the standard nevisIDM roles. These roles are usually assigned to a standard user of nevisIDM. There is a second category of roles, the technical nevisIDM roles, listed in [the table] below.

NameDescriptions / authorized objects
AppAdminApplications, roles, properties, property values Administrates all applications, can assign all application data rooms (can create MainAppOwners)
AppOwnerAssigns application role
HelpdeskLimited UserAdmin functionality, but can handle credentials
MainAppOwnerCan assign application roles, can assign application data room (can create AppOwners)
RootCan access everything
ClientRootCan access everything in own client but cannot administrate clients.
SelfAdminUser's own data and credentials
UserAdminCan access and create users and profiles.
UserAndUnitAdminLike UserAdmin, but can also access Units and make new UserAdmins.
TemplateAdminCan manage text templates.
EnterpriseRoleAdminCan create enterprise roles with property values.
Can assign member roles to enterprise roles.
Can assign enterprise roles to profiles.
Can assign enterprise role data rooms (can create EnterpriseRoleOwner).
EnterpriseRoleOwnerCan assign enterprise roles to profiles.
NameDescriptions / authorized objects
BatchJobAdminBatch jobs
SoapTechAccessAlmost like root
SoapTechAccessReadOnlyLike SoapTechAccess but read only
TechUserA technical role without any nevisIDM privileges. It can be used to mark technical users. A well-known use case is to check whether a user has this role when he wants to access a back end such as a SOAP interface. The check can be performed on the proxy, e.g., on nevisProxy with a SecurityRoleFilter.
Alternatively, instead of the role-based model, create a technical user with the isTechnicalUser flag set.
ImpersonatorA technical role only available for technical users. It allows them to impersonate another user.

Elementary rights of nevisIDM roles

A role is mapped to a set of elementary permissions allowing the execution of specific operations. These permissions are also called elementary rights. Descriptions of all elementary rights can be found in [Appendix A]. An insight into the authorization mechanism of nevisIDM is given in the table. It shows default mappings of product roles to elementary rights.

The letters in the table represent the following:

  • X: access without any additional authorization checks (only true for client-/unit-/app-global)
  • c: if client authorization check is successful
  • u: if unit data room authorization check is successful
  • a: if application data room authorization check is successful
  • e: if enterprise role data room authorization check is successful
  • s: only to his own data

The table below has become somewhat famous within Nevis and is often referred to as "nevisIDM Chrüzlistich". It is Swiss-German and means "the table with a lot of crosses in it".

Roles/RightsnevisIdm.
Root
nevisIdm.
ClientRoot
nevisIdm.
UserAdmin
nevisIdm.
UserAndUnit
Admin
nevisIdm.
AppAdmin
nevisIdm.
AppOwner
nevisIdm.
MainAppOwner
nevisIdm.
Helpdesk
nevisIdm.
Template
Admin
nevisIdm.
SelfAdmin
nevisIdm.
SoapTechAccess
nevisIdm.
SoapTechAccess
ReadOnly
nevisIdm.
TechUser
nevisIdm.
Impersonator
nevisIdm.
EnterpriseRole
Admin
nevisIdm.
EnterpriseRole
Owner
ApplicationCreateXccc
ApplicationDeleteXccca
ApplicationModifyXccca
ApplicationSearchXccccccccc
ApplicationViewXccacaccacaccacacc
AuthorizationApplCreateXcccuacua
AuthorizationApplDeleteXcccuacua
AuthorizationApplSearchXccucuccucuccc
AuthorizationApplViewXcccuacucuacuac
AuthorizationClientCreateXccuccuacuc
AuthorizationClientDeleteXccuccuacuc
AuthorizationClientSearchXccucuccuaccc
AuthorizationClientViewXccuccuacucuc
AuthorizationCreateXccucuccuacuacuac
AuthorizationDeleteXccucuccuacuacuac
AuthorizationModifyXccuccuacuac
AuthorizationSearchXccucuccacacaccccu
AuthorizationEnterpriseRoleCreateXccuec
AuthorizationEnterpriseRoleDeleteXccuec
AuthorizationEnterpriseRoleSearchXccucucccuccccue
AuthorizationEnterpriseRoleViewXccccucuecueccue
AuthorizationUnitCreateXccucucuc
AuthorizationUnitDeleteXccucucuc
AuthorizationUnitSearchXccucucccuccc
AuthorizationUnitViewXccuccucucucuc
AuthorizationViewXccucuccacacucuacuaccu
BatchJobExecuteXcX
BatchJobViewXcX
ClientApplAssignXccca
ClientApplDeleteXccca
ClientApplViewXcccaccacaccaca
ClientCreateXX
ClientDeleteXc
ClientModifyXc
ClientSearchXcccccccccccc
ClientViewXcccccccccccc
CollectionCreateXcX
CollectionDeleteXcX
CollectionModifyXcX
CollectionViewXcXXXXXXXXXcc
ConsentViewXXX
CredentialChangeStateXccucu
CredentialCreateXccucu
CredentialDeleteXccucucucu
CredentialModifyXccucu
CredentialPdfViewXc
CredentialSearchXccucucu
CredentialViewXccucucu
CredentialViewPlainValueXccu
EnterpriseAuthorizationCreateXccueccue
EnterpriseAuthorizationDeleteXccueccue
EnterpriseAuthorizationModifyXccueccue
EnterpriseAuthorizationSearchXccucuccccucuecueccue
EnterpriseAuthorizationViewXccucuccccucuecueccue
EnterpriseRoleCreateXccc
EnterpriseRoleDeleteXccec
EnterpriseRoleModifyXccec
EnterpriseRoleSearchXccccccccececce
EnterpriseRoleViewXcccececce
EnterpriseRoleMemberCreateXccaec
EnterpriseRoleMemberDeleteXccaec
EnterpriseRoleMemberSearchXcccaecaecce
EntityAttributeAccessOverrideXc
GenerateReportXc
HistoryViewXxXX
LoginIdOverrideXc
LoginIdModifyXccucuscu
PersistentQueueViewXccc
PersistentQueueDeleteXcc
PersonalQuestionCreateXcc
PersonalQuestionDeleteXcc
PersonalQuestionModifyXcc
PersonalQuestionViewXccccccccccccccc
PersonalQuestionSearchXccccccccccccccc
PolicyConfigurationCreateXcc
PolicyConfigurationDeleteXcc
PolicyConfigurationModifyXcc
PolicyConfigurationSearchXccc
PolicyConfigurationViewXccc
ProfileArchiveXccucucu
ProfileCreateXccucucu
ProfileDeleteXccu
ProfileModifyXccucucu
ProfileSearchXccccccccucuccu
ProfileViewXccucuccucucucucuccu
DeputyCreateXcs
DeputyDeleteXcs
PropertyAllowedValueCreateXcXX
PropertyAllowedValueDeleteXcXX
PropertyAllowedValueModifyXcX
PropertyAllowedValueSearchXcXXXXXXXXcc
PropertyAllowedValueViewXcXXXXXcc
PropertyAttributeAccessOverrideXc
PropertyCreateXcXX
PropertyDeleteXcXX
PropertyModifyXcXX
PropertySearchXcXXXXXXXXXcc
PropertyValueCreateXcXXc
PropertyValueDeleteXcXXc
PropertyValueModifyXcXXc
PropertyValueSearchXcXXXXXXXXcc
PropertyValueViewXcXXXXXcc
PropertyViewXcXXXXXcc
RoleCreateXccca
RoleDeleteXccca
RoleModifyXccca
RoleSearchXcccccacaccacacc
RoleViewXccccccccacacc
SearchResultsExportXcXXXXXXcc
SelfAdminXcXXX
TemplateCreateXcXX
TemplateDeleteXcXX
TemplateModifyXcXX
TemplateStoreXcXXX
TemplateTextCreateXcXX
TemplateTextDeleteXcXX
TemplateTextModifyXcXX
TemplateTextViewXcXXX
TemplateViewXcXXX
TermsCreateXXX
TermsDeleteXXX
TermsModifyXXX
TermsViewXXX
UnitCreateXccucu
UnitCreateTopUnitXccu
UnitDeleteXccucu
UnitModifyXccucu
UnitSearchXccucuccucucucucuccu
UnitViewXccuccucucuc
UnitCredPolicyCreateXccc
UnitCredPolicyDeleteXccc
UnitCredPolicyViewXccc
UserArchiveXccucucu
UserCreateXccucucu
UserDeleteXccu
UserModifyXccucucucu
UserSearchXccccccccucucc
UserViewXccucucucucucucucuccu
UserCreateTechUserXc
UserModifyTechUserXc
UserDeleteTechUserXc
UserArchiveTechUserXc

Fine-grained permissions of nevisIDM roles

A nevisIDM role is mapped to a set of elementary rights, also called elementary permissions. These rights determine the operations a user can execute.

Fine-grained permissions are an extension of the elementary rights and can be used to restrict an elementary right to specific attributes. For example, we can restrict the Helpdesk role to be able to modify only the user state but no other user attributes.

If no fine-grained permissions are defined, the user is authorized for all attributes, without any restrictions. The nevisIDM roles do not contain any default fine-grained permissions; their definition is optional.

Configuration of fine-grained permissions

The fine-grained permissions are defined in the rolesMapping.properties configuration file. They have to be set in the format ElementaryRight.Attribute, where ElementaryRight is the name of an elementary right, and Attribute is the name of the attribute to which we want to restrict the elementary right.

For example, if we want to restrict a nevisIDM role to be able to modify only the state of a user, the fine-grained permission AccessControl.UserModify.state has to be added to the configuration file.

*If a fine-grained permission for an elementary right is defined in the role configuration, the elementary right itself should not be listed. If a role configuration contains fine-grained permissions and the elementary right, the fine-grained permissions are ignored.

For example: If the fine-grained permission AccessControl.UserModify.state is defined in the role configuration, the AccessControl.UserModify elementary right should not be listed. Otherwise, the fine-grained permission is ignored, and the user modification is not restricted to the state attribute.

Notes:

  • Fine-grained permissions are supported only for the AccessControl.UserView and AccessControl.UserModify elementary rights and for the following user attributes:
  • loginId
  • extid
  • client
  • state
  • firstName
  • name
  • title
  • sex
  • birthDate
  • email
  • telephone
  • telefax
  • mobile
  • addressline1
  • addressline2
  • postalcode
  • city
  • country
  • street
  • houseNumber
  • dwellingNumber
  • postOfficeBoxText
  • postOfficeBoxNumber
  • locality
  • template_collection
  • languageId
  • remarks
  • validFrom
  • validTo
  • isTechnicalUser
  • stateChangedDate
  • stateChangeReasonCd
  • stateChangeDetail
  • lastLogin
  • lastFailure
  • Fine-grained permissions for properties with scope onUserGlobal can also be defined in the format ElementaryRight.prop.PropertyName. For example: We have a property, called userProperty with scope onUserGlobal and we want to restrict the AccessControl.UserModify elementary right to this property. The rolesMapping.properties has to be extended with the AccessControl.UserModify.prop.userProperty fine-grained permission.
  • Fine-grained permissions are not supported for technical attributes like ctlCreUid, ctlCreDat, ctlCreUid, ctlModDat, ctlModUid and ctlTcn.

Fine-grained permissions on the nevisIDM admin GUI

On the User administration view, the values of the attributes are visible and modifiable depending on the fine-grained permissions.

Only the values of the attributes for which we have fine-grained permissions on the AccessControl.UserView elementary right are visible, and only the attributes for which we have fine-grained permissions on the AccessControl.UserModify elementary right are modifiable.

The fine-grained permissions are applied neither on the user search and user history views nor on the result of the user export and report.

Fine-grained permissions in the web services

The fine-grained permissions are also applied on the user-related web service operations. The result of a query operation contain only the attributes for which we have fine-grained permissions on the AccessControl.UserView elementary right. The other attributes are not returned by the query operations.

Also, only the attributes for which we have fine-grained permissions on the AccessControl.UserModify elementary right can be modified. Trying to modify an attribute the caller user does not have permission for results in an exception with the error code errors.insufficientFineGrainedRights.

The fine-grained permissions are applied to the following web service operations: queryUsers, getUsersByLoginIds, getUsersByExtIds, getUsersByProfileExtIds, getAuthorizers, updateUser.

The fine-grained permissions are not applied to the getHistoryOfUser web service operation.

Configuration example

Modify the Helpdesk nevisIDM role to be able to view all user attributes, but be able to modify only the state attribute.

By default, the Helpdesk role contains the AccessControl.UserView and AccessControl.UserModify elementary rights. Since the Helpdesk role should be able to view all user attributes, no fine-grained permission has to be defined for the AccessControl.UserView elementary right. We only have to define fine-grained permission for the AccessControl.UserModify elementary permission.

To change the Helpdesk role, the following steps have to be taken:

  • Open the rolesMapping.properties configuration file.
  • Remove the AccessControl.UserModify elementary right from the configuration of the Helpdesk role.
  • Add the AccessControl.UserModify.state fine-grained permission to the configuration of the Helpdesk role.
  • Restart nevisIDM.

Credential-type specific permissions of nevisIDM roles

Credential-type specific permissions represent an extension of elementary rights, akin to fine-grained permissions. They serve to limit an elementary right to specific credential types. For instance, the HelpDesk role can be restricted to creating/modifying/viewing only PASSWORD type credentials, excluding any other types.

If no credential-type specific permissions are defined, the user is authorized for all credential types, without any restrictions. The nevisIDM roles do not contain any default credential-type specific permissions; their definition is optional.

Configuration of credential-type specific permissions

The credential-type specific permissions are defined in the rolesMapping.properties configuration file. They have to be set in the format ElementaryRight.CredentialType, where ElementaryRight is the name of an elementary right, and CredentialType is the name of the credential type to which we want to restrict the elementary right.

For example, if we want to restrict a nevisIDM role to be able to modify only KERBEROS type credentials, the credential-type specific permission AccessControl.CredentialModify.KERBEROS has to be added to the configuration file.

If a credential-type specific permission for an elementary right is defined in the role configuration, the elementary right itself should not be listed. If a role configuration contains credential-type specific permissions and the elementary right, the credential-type specific permissions are ignored.

For example: If the credential-type specific permission AccessControl.CredentialModify.KERBEROS is defined in the role configuration, the AccessControl.CredentialModify elementary right should not be listed. Otherwise, the credential-type specific permission are ignored, and the credential modification is not restricted to the type of the credential.

Notes:

  • The following elementary permissions can be extended with credential-type specific permissions:

    • AccessControl.CredentialCreate
    • AccessControl.CredentialModify
    • AccessControl.CredentialView
    • AccessControl.CredentialDelete
    • AccessControl.CredentialChangeState
    • AccessControl.CredentialPdfView
    • AccessControl.CredentialViewPlainValue
    • AccessControl.CredentialSearch
  • The format of the credential-type specific permissions is case-insensitive. Furthermore, the credential type can be specified either by its name or by its ID. For example, the following credential-type specific permissions are equivalent:

    • AccessControl.CredentialModify.KERBEROS
    • AccessControl.CredentialModify.10
    • AccessControl.CredentialModify.Kerberos

The supported credential types can be found listed below.

  • Credential Password:
    • ID: 1
    • Name: PASSWORD
  • Credential Certificate:
    • ID: 2
    • Name: CERTIFICATE
  • Credential SecurID:
    • ID: 3
    • NAME: SECURID
  • Credential Ticket:
    • ID: 4
    • NAME: TICKET
  • Credential SafewordUser:
    • ID: 5
    • NAME: SAFEWORDUSER
  • Credential OTP:
    • ID: 6
    • NAME: OTP
  • Credential TempStrongPassword:
    • ID: 8
    • NAME: TEMPSTRONGPASSWORD
  • Credential Generic:
    • ID: 9
    • NAME: GENERIC
  • Credential Kerberos:
    • ID: 10
    • NAME: KERBEROS
  • Credential MTAN:
    • ID: 11
    • NAME: MTAN
  • Credential Vasco:
    • ID: 12
    • NAME: VASCO
  • Credential PUK:
    • ID: 13
    • NAME: PUK
  • Credential UrlTicket:
    • ID: 14
    • NAME: URLTICKET
  • Credential DevicePassword:
    • ID: 15
    • NAME: DEVICEPASSWORD
  • Credential MobileSignature:
    • ID: 16
    • NAME: MOBILESIGNATURE
  • Credential SamlFederation:
    • ID: 17
    • NAME: SAMLFEDERATION
  • Credential SecurityQuestions:
    • ID: 18
    • NAME: SECURITYQUESTIONS
  • Credential ContextPassword:
    • ID: 19
    • NAME: CONTEXTPASSWORD
  • Credential Oath:
    • ID: 20
    • NAME: OATH
  • Credential FidoUaf:
    • ID: 21
    • NAME: FIDO_UAF
  • Credential RecoveryCode:
    • ID: 22
    • NAME: RECOVERY_CODE
  • Credential Fido2:
    • ID: 23
    • NAME: FIDO2

Configuration example

Modify the Helpdesk nevisIDM role to be able to view all types of credentials, but be able to modify only the password types.

By default, the Helpdesk role contains the AccessControl.CredentialView and AccessControl.CredentialModify elementary rights. Since the Helpdesk role should be able to view all types of credentials, no credential-type specific permission has to be defined for the AccessControl.CredentialView elementary right. We only have to define credential-type specific permission for the AccessControl.CredentialModify elementary permission.

To change the Helpdesk role, the following steps have to be taken:

  • Open the rolesMapping.properties configuration file.
  • Remove the AccessControl.CredentialModify elementary right from the configuration of the Helpdesk role.
  • Add the AccessControl.CredentialModify.password permission to the configuration of the Helpdesk role.
  • Restart nevisIDM.

Magic roles and special users

Magic roles

Some roles are called "magic roles". nevisIDM knows their names and handles them in a different way:

  • Role SelfAdmin: Data room authorization is only valid for objects of the acting user.
  • Role TechUser: Role without any privileges in nevisIDM. Used for checking in a SecurityRoleFilter in nevisProxy (like roles of other applications)

Special users

There is one particular exception from the roles above, which only applies to the user nevisauth. This technical user is part of and protected by the nevisIDM ref-data and represents the component nevisAuth. If there are nevisIDM AuthStates configured in nevisAuth, these states call nevisIDM web services with a secToken issued for the user nevisauth. In nevisIDM, all authorization checks are disabled for this user to increase performance as an authentication back end of nevisAuth.

Privilege escalation of nevisIDM roles

To prevent users such as Helpdesk or UserAdmin from being able to change the password of a user with the role Root and thereby take the root user's privileges, restrictions are required. These restrictions define which role is required to edit another role. The definition of privilege escalation can be found in the configuration file authorizationConfig.properties ).

The figure below shows the role hierarchy. The permission to administrate a user is related to editing the user object itself as well as the attached profiles and credentials. The can edit-relation shown in the figure is transitive and is interpreted as follows:

  • Editing of a profile P is allowed if the actor's nevisIDM roles allow to edit all roles of the profile P.
  • Editing a user and his credentials is allowed if all profiles of the user can be edited.
Role hierarchy of nevisIDM (arrow means can edit)

As shown in the diagram, Helpdesk is able to assume control over the accounts of (Main) AppOwner and/or UserAdmin because Helpdesk users can edit credentials. Helpdesk is therefore a powerful role, and users with this role should be instructed accordingly.

The described restrictions do not apply to the assignment of roles. An AppOwner, for example, can assign/revoke applications to/from all users (even to/from a root user). Only roles that one is allowed to assign can be revoked. Due to this rule, it is not possible to revoke the roles AppAdmin or Helpdesk unless that user has the role root.