IdmAddRemoveAuthorizationState
This AuthState is a processing AuthState.
This plug-in is used to add or remove roles to or from the user profile after a successful nevisIDM login. The properties support variable expressions to define which roles should be added or removed. If the role does not exist in nevisIDM, the AuthState will transition to FAILED on runtime. Allowing user controlled input is not recommended, because this can lead to security issues.
If the user has more than one profile:
- If a preselected profile is defined (the session attribute "ch.adnovum.nevisidm.profileId" is set), the roles will be added/removed to/from the profile identified by the profileId.
- If the user has a default profile, the roles will be added/removed to/from the default profile.
- If there is no preselected or default profile, an error occurs.
| Topic | Description |
|---|---|
| Class | ch.nevis.idm.authstate.IdmAddRemoveAuthorizationState |
| Logging | IdmAuth |
| Auditing | None |
| Marker | NevisIDM:mutation |
| Properties | rolesToAdd Comma-separated list of roles to add to the user profile. The roles must be set in the format applicationName.roleName. Variable expressions like ${sess:my.session.variable} are also supported. For security reasons, direct user input is not recommended. |
| rolesToRemove Comma-separated list of roles to remove from the user profile. The roles must be set in the format applicationName.roleName. Variable expressions like ${sess:my.session.variable} are also supported. For security reasons, direct user input is not recommended. | |
| Methods | process (all events) |
| Input | None |
| Transitions | ok: The roles are added/removed successfully. |
| failed: Fetching the user profile failed or one of the roles does not exist in nevisIDM. | |
| roleAddingFailed: Adding the roles to the user profile failed. | |
| roleRemovalFailed: Removing the roles from the user profile failed. | |
| clientNotFound: User uses an unsupported client ID or the "default" client ID is not available. | |
| Output | None |
| Errors | None |
| Notes | None |
Example
<AuthState name="IdmAddRemoveAuthorizationState"
class="ch.nevis.idm.authstate.IdmAddRemoveAuthorizationState"
final="false">
<ResultCond name="ok" next="AuthDone"/>
<ResultCond name="failed"
next="IdmAddRemoveAuthorizationState"/>
<ResultCond name="roleAddingFailedc"
next="IdmAddRemoveAuthorizationState"/>
<ResultCond name="roleRemovalFailed"
next="IdmAddRemoveAuthorizationState"/>
<Response value="AUTH_ERROR" >
<Gui name="AuthErrorDialog"/>
</Response>
<property name="rolesToRemove" value="application.role1,application.role2" />
<property name="rolesToAdd" value="application.role3,application.role4" />
</AuthState>