Skip to main content
Version: 8.2411.x.x RR

IdmAddRemoveAuthorizationState

This AuthState is a processing AuthState.

This plug-in is used to add or remove roles to or from the user profile after a successful nevisIDM login.

The properties support variable expressions to define which roles should be added or removed. If the role does not exist in nevisIDM, the AuthState will transition to failed on runtime. Allowing user controlled input is not recommended, because this can lead to security issues.

If the user has more than one profile:

  • If a preselected profile is defined (the session attribute "ch.adnovum.nevisidm.profileId" is set), the roles will be added/removed to/from the profile identified by the profileId.
  • If the user has a default profile, the roles will be added/removed to/from the default profile.
  • If there is no preselected or default profile, an error occurs.
TopicDescription
Classch.nevis.idm.authstate.IdmAddRemoveAuthorizationState
LoggingIdmAuth
AuditingNone
MarkerNevisIDM:mutation
PropertiesrolesToAdd
Comma-separated list of roles to add to the user profile. The roles must be set in the format applicationName.roleName. Variable expressions like ${sess:my.session.variable} are also supported. For security reasons, direct user input is not recommended.
rolesToRemove
Comma-separated list of roles to remove from the user profile. The roles must be set in the format applicationName.roleName. Variable expressions like ${sess:my.session.variable} are also supported. For security reasons, direct user input is not recommended.
Methodsprocess (all events)
InputNone
Transitionsok: The roles are added/removed successfully.
failed: Fetching the user profile failed or one of the roles does not exist in nevisIDM.
roleAddingFailed: Adding the roles to the user profile failed.
roleRemovalFailed: Removing the roles from the user profile failed.
clientNotFound: User uses an unsupported client ID or the "default" client ID is not available.
OutputNone
ErrorsNone
NotesNone

Example

<AuthState name="IdmAddRemoveAuthorizationState"
class="ch.nevis.idm.authstate.IdmAddRemoveAuthorizationState"
final="false">

<ResultCond name="ok" next="AuthDone"/>
<ResultCond name="failed" next="IdmAddRemoveAuthorizationState"/>
<ResultCond name="roleAddingFailed" next="IdmAddRemoveAuthorizationState"/>
<ResultCond name="roleRemovalFailed" next="IdmAddRemoveAuthorizationState"/>

<Response value="AUTH_ERROR" >
<Gui name="AuthErrorDialog"/>
</Response>

<property name="rolesToRemove" value="myApp1.roleA,myApp2.roleA" />
<property name="rolesToAdd" value="myApp1.roleB,myApp1.roleC" />
</AuthState>