Skip to main content
Version: 2.82.x.x LTS

Functional authorization - nevisIDM roles

Functional authorization checks authorization for an operation and is integrated into the nevisIDM roles. The table lists the standard nevisIDM roles. These roles are usually assigned to a standard user of nevisIDM. There is a second category of roles, the technical nevisIDM roles, listed in [the table] below.

NameDescriptions / authorized objects
AppAdminApplications, roles, properties, property values Administrates all applications, can assign all application data rooms (can create MainAppOwners)
AppOwnerAssigns application role
HelpdeskLimited UserAdmin functionality, but can handle credentials
MainAppOwnerCan assign application roles, can assign application data room (can create AppOwners)
RootCan access everything
ClientRootCan access everything in own client but cannot administrate clients.
SelfAdminUser's own data and credentials
UserAdminCan access and create users and profiles.
UserAndUnitAdminLike UserAdmin, but can also access Units and make new UserAdmins.
TemplateAdminCan manage text templates.
EnterpriseRoleAdminCan create enterprise roles with property values.
Can assign member roles to enterprise roles.
Can assign enterprise roles to profiles.
Can assign enterprise role data rooms (can create EnterpriseRoleOwner).
EnterpriseRoleOwnerCan assign enterprise roles to profiles.
NameDescriptions / authorized objects
BatchJobAdminBatch jobs
SoapTechAccessAlmost like root
SoapTechAccessReadOnlyLike SoapTechAccess but read only
TechUserA technical role without any nevisIDM privileges. It can be used to mark technical users. A well-known use case is to check whether a user has this role when he wants to access a back end such as a SOAP interface. The check can be performed on the proxy, e.g., on nevisProxy with a SecurityRoleFilter.
Alternatively, instead of the role-based model, create a technical user with the isTechnicalUser flag set.
ImpersonatorA technical role only available for technical users. It allows them to impersonate another user.

Elementary rights of nevisIDM roles

A role is mapped to a set of elementary permissions allowing the execution of specific operations. These permissions are also called "elementary rights". Descriptions of all elementary rights can be found in [Appendix A]. An insight into the authorization mechanism of nevisIDM is given in the table. It shows default mappings of product roles to elementary rights.

The letters in the table represent the following:

  • X: access without any additional authorization checks (only true for client-/unit-/app-global)
  • c: if client authorization check is successful
  • u: if unit data room authorization check is successful
  • a: if application data room authorization check is successful
  • e: if enterprise role data room authorization check is successful
  • s: only to his own data

The table below has become somewhat famous within Nevis and is often referred to as "nevisIDM Chrüzlistich". It is Swiss-German and means "the table with a lot of crosses in it".

Roles/RightsnevisIdm.
Root
nevisIdm.
ClientRoot
nevisIdm.
UserAdmin
nevisIdm.
UserAndUnit
Admin
nevisIdm.
AppAdmin
nevisIdm.
AppOwner
nevisIdm.
MainAppOwner
nevisIdm.
Helpdesk
nevisIdm.
Template
Admin
nevisIdm.
SelfAdmin
nevisIdm.
SoapTechAccess
nevisIdm.
SoapTechAccess
ReadOnly
nevisIdm.
TechUser
nevisIdm.
Impersonator
nevisIdm.
EnterpriseRole
Admin
nevisIdm.
EnterpriseRole
Owner
ApplicationCreateXccc
ApplicationDeleteXccca
ApplicationModifyXccca
ApplicationSearchXccccccccc
ApplicationViewXccacaccacaccacacc
AuthorizationApplCreateXcccuacua
AuthorizationApplDeleteXcccuacua
AuthorizationApplSearchXccucuccucuccc
AuthorizationApplViewXcccuacucuacuac
AuthorizationClientCreateXccuccuacuc
AuthorizationClientDeleteXccuccuacuc
AuthorizationClientSearchXccucuccuaccc
AuthorizationClientViewXccuccuacucuc
AuthorizationCreateXccucuccuacuacuac
AuthorizationDeleteXccucuccuacuacuac
AuthorizationModifyXccuccuacuac
AuthorizationSearchXccucuccacacaccccu
AuthorizationEnterpriseRoleCreateXccuec
AuthorizationEnterpriseRoleDeleteXccuec
AuthorizationEnterpriseRoleSearchXccucucccuccccue
AuthorizationEnterpriseRoleViewXccccucuecueccue
AuthorizationUnitCreateXccucucuc
AuthorizationUnitDeleteXccucucuc
AuthorizationUnitSearchXccucucccuccc
AuthorizationUnitViewXccuccucucucuc
AuthorizationViewXccucuccacacucuacuaccu
BatchJobExecuteXcX
BatchJobViewXcX
ClientApplAssignXccca
ClientApplDeleteXccca
ClientApplViewXcccaccacaccaca
ClientCreateXX
ClientDeleteXc
ClientModifyXc
ClientSearchXcccccccccccc
ClientViewXcccccccccccc
CollectionCreateXcX
CollectionDeleteXcX
CollectionModifyXcX
CollectionViewXcXXXXXXXXXcc
ConsentViewXXX
CredentialChangeStateXccucu
CredentialCreateXccucu
CredentialDeleteXccucucucu
CredentialModifyXccucu
CredentialPdfViewXc
CredentialSearchXccucucu
CredentialViewXccucucu
CredentialViewPlainValueXccu
EnterpriseAuthorizationCreateXccueccue
EnterpriseAuthorizationDeleteXccueccue
EnterpriseAuthorizationModifyXccueccue
EnterpriseAuthorizationSearchXccucuccccucuecueccue
EnterpriseAuthorizationViewXccucuccccucuecueccue
EnterpriseRoleCreateXccc
EnterpriseRoleDeleteXccec
EnterpriseRoleModifyXccec
EnterpriseRoleSearchXccccccccececce
EnterpriseRoleViewXcccececce
EnterpriseRoleMemberCreateXccaec
EnterpriseRoleMemberDeleteXccaec
EnterpriseRoleMemberSearchXcccaecaecce
EntityAttributeAccessOverrideXc
GenerateReportXc
HistoryViewXxXX
LoginIdOverrideXc
LoginIdModifyXccucuscu
PersistentQueueViewXccc
PersistentQueueDeleteXcc
PersonalQuestionCreateXcc
PersonalQuestionDeleteXcc
PersonalQuestionModifyXcc
PersonalQuestionViewXccccccccccccccc
PersonalQuestionSearchXccccccccccccccc
PolicyConfigurationCreateXcc
PolicyConfigurationDeleteXcc
PolicyConfigurationModifyXcc
PolicyConfigurationSearchXccc
PolicyConfigurationViewXccc
ProfileArchiveXccucucu
ProfileCreateXccucucu
ProfileDeleteXccu
ProfileModifyXccucucu
ProfileSearchXccccccccucuccu
ProfileViewXccucuccucucucucuccu
DeputyCreateXcs
DeputyDeleteXcs
PropertyAllowedValueCreateXcXX
PropertyAllowedValueDeleteXcXX
PropertyAllowedValueModifyXcX
PropertyAllowedValueSearchXcXXXXXXXXcc
PropertyAllowedValueViewXcXXXXXcc
PropertyAttributeAccessOverrideXc
PropertyCreateXcXX
PropertyDeleteXcXX
PropertyModifyXcXX
PropertySearchXcXXXXXXXXXcc
PropertyValueCreateXcXXc
PropertyValueDeleteXcXXc
PropertyValueModifyXcXXc
PropertyValueSearchXcXXXXXXXXcc
PropertyValueViewXcXXXXXcc
PropertyViewXcXXXXXcc
RoleCreateXccca
RoleDeleteXccca
RoleModifyXccca
RoleSearchXcccccacaccacacc
RoleViewXccccccccacacc
SearchResultsExportXcXXXXXXcc
SelfAdminXcXXX
TemplateCreateXcXX
TemplateDeleteXcXX
TemplateModifyXcXX
TemplateStoreXcXXX
TemplateTextCreateXcXX
TemplateTextDeleteXcXX
TemplateTextModifyXcXX
TemplateTextViewXcXXX
TemplateViewXcXXX
TermsCreateXXX
TermsDeleteXXX
TermsModifyXXX
TermsViewXXX
UnitCreateXccucu
UnitCreateTopUnitXccu
UnitDeleteXccucu
UnitModifyXccucu
UnitSearchXccucuccucucucucuccu
UnitViewXccuccucucuc
UnitCredPolicyCreateXccc
UnitCredPolicyDeleteXccc
UnitCredPolicyViewXccc
UserArchiveXccucucu
UserCreateXccucucu
UserDeleteXccu
UserModifyXccucucucu
UserSearchXccccccccucucc
UserViewXccucucucucucucucuccu
UserCreateTechUserXc
UserModifyTechUserXc
UserDeleteTechUserXc
UserArchiveTechUserXc

Fine-grained permissions of nevisIDM roles

A nevisIDM role is mapped to a set of elementary rights, also called "elementary permissions". These rights determine the operations a user can execute.

Fine-grained permissions are an extension of the elementary rights and can be used to restrict an elementary right to specific attributes. For example, we can restrict the Helpdesk role to be able to modify only the user state but no other user attributes.

If no fine-grained permissions are defined, the user will be authorized for all attributes, without any restrictions. The nevisIDM roles do not contain any default fine-grained permissions; their definition is optional.

Configuration of fine-grained permissions

The fine-grained permissions are defined in the "rolesMapping.properties" configuration file. They have to be set in the format "ElementaryRight.Attribute", where "ElementaryRight" is the name of an elementary right, and "Attribute" is the name of the attribute to which we want to restrict the elementary right.

For example, if we want to restrict a nevisIDM role to be able to modify only the state of a user, the fine-grained permission "AccessControl.UserModify.state" has to be added to the configuration file.

*If a fine-grained permission for an elementary right is defined in the role configuration, the elementary right itself should not be listed. If a role configuration contains fine-grained permissions and the elementary right, the fine-grained permissions will be ignored.

For example: If the fine-grained permission "AccessControl.UserModify.state" is defined in the role configuration, the "AccessControl.UserModify" elementary right should not be listed. Otherwise, the fine-grained permission will be ignored, and the user modification will not be restricted to the state attribute.

Notes:

  • Fine-grained permissions are supported only for the "AccessControl.UserView" and "AccessControl.UserModify" elementary rights and for the following user attributes:

    loginIdmobiletemplate_collection
    extidaddressline1languageId
    clientaddressline2remarks
    statepostalcodevalidFrom
    firstNamecityvalidTo
    namecountryisTechnicalUser
    titlestreetstateChangedDate
    sexhouseNumberstateChangeReasonCd
    birthDatedwellingNumbestateChangeDetail
    emailpostOfficeBoxTextlastLogin
    telephonepostOfficeBoxNumberlastFailure
    telefaxlocality
  • Fine-grained permissions for properties with scope "onUserGlobal" can also be defined in the format "ElementaryRight.prop.PropertyName". For example: We have a property, called "userProperty" with scope "onUserGlobal" and we want to restrict the "AccessControl.UserModify" elementary right to this property. The rolesMapping.properties has to be extended with the "AccessControl.UserModify.prop.userProperty" fine-grained permission.

  • Fine-grained permissions are not supported for technical attributes like "ctlCreUid", "ctlCreDat", "ctlCreUid", "ctlModDat", "ctlModUid" and "ctlTcn".

Fine-grained permissions on the nevisIDM admin GUI

On the "User administration" view, the values of the attributes will be visible and modifiable depending on the fine-grained permissions.

Only the values of the attributes for which we have fine-grained permissions on the "AccessControl.UserView" elementary right will be visible, and only the attributes for which we have fine-grained permissions on the "AccessControl.UserModify" elementary right will be modifiable.

The fine-grained permissions are applied neither on the user search and user history views nor on the result of the user export and report.

Fine-grained permissions in the web services

The fine-grained permissions are also applied on the user-related web service operations. The result of a query operation will contain only the attributes for which we have fine-grained permissions on the "AccessControl.UserView" elementary right. The other attributes will not be returned by the query operations.

Also, only the attributes for which we have fine-grained permissions on the "AccessControl.UserModify" elementary right can be modified. Trying to modify an attribute the caller user does not have permission for will result in an exception with the error code "errors.insufficientFineGrainedRights".

The fine-grained permissions are applied to the following web service operations: queryUsers, getUsersByLoginIds, getUsersByExtIds, getUsersByProfileExtIds, getAuthorizers, updateUser.

The fine-grained permissions are not applied to the getHistoryOfUser web service operation.

Configuration example

Modify the Helpdesk nevisIDM role to be able to view all user attributes, but be able to modify only the state attribute.

By default, the Helpdesk role contains the "AccessControl.UserView" and "AccessControl.UserModify" elementary rights. Since the Helpdesk role should be able to view all user attributes, no fine-grained permission has to be defined for the "AccessControl.UserView" elementary right. We only have to define fine-grained permission for the "AccessControl.UserModify" elementary permission.

To change the Helpdesk role, the following steps have to be taken:

  • Open the "rolesMapping.properties" configuration file.
  • Remove the "AccessControl.UserModify" elementary right from the configuration of the Helpdesk role.
  • Add the "AccessControl.UserModify.state" fine-grained permission to the configuration of the Helpdesk role.
  • Restart nevisIDM.

Magic roles and special users

Magic roles

Some roles are called "magic roles". nevisIDM knows their names and handles them in a different way:

  • Role "SelfAdmin": Data room authorization is only valid for objects of the acting user.
  • Role "TechUser": Role without any privileges in nevisIDM. Used for checking in a SecurityRoleFilter in nevisProxy (like roles of other applications)

Special users

There is one particular exception from the roles above, which only applies to the user "nevisauth". This technical user is part of and protected by the nevisIDM ref-data and represents the component nevisAuth. If there are nevisIDM AuthStates configured in nevisAuth, these states will call nevisIDM web services with a secToken issued for the user "nevisauth". In nevisIDM, all authorization checks are disabled for this user to increase performance as an authentication back end of nevisAuth.

Privilege escalation of nevisIDM roles

To prevent users such as Helpdesk or UserAdmin from being able to change the password of a user with the role Root and thereby take the root user's privileges, restrictions are required. These restrictions define which role is required to edit another role. The definition of privilege escalation can be found in the configuration file "authorizationConfig.properties" ).

The figure below shows the role hierarchy. The permission to administrate a user is related to editing the user object itself as well as the attached profiles and credentials. The "can edit"-relation shown in the figure is transitive and is interpreted as follows:

  • Editing of a profile P is allowed if the actor's nevisIDM roles allow to edit all roles of the profile P.
  • Editing a user and his credentials is allowed if all profiles of the user can be edited.
Role hierarchy of nevisIDM (arrow means can edit)

As shown in the diagram, Helpdesk is able to assume control over the accounts of (Main) AppOwner and/or UserAdmin because Helpdesk users can edit credentials. Helpdesk is therefore a powerful role, and users with this role should be instructed accordingly.

The described restrictions do not apply to the assignment of roles. An AppOwner, for example, can assign/revoke applications to/from all users (even to/from a root user). Only roles that one is allowed to assign can be revoked. Due to this rule, it is not possible to revoke the roles AppAdmin or Helpdesk unless that user has the role root.