Novell Home

NAM Open Lab 5: Setting Up RBAC

Novell Cool Solutions: AppNote
By Chris Van Den Abbeele

Digg This - Slashdot This

Posted: 14 Mar 2007
 

Introduction

In this Lab we will set up two roles and allow access to certain web pages, based on the roles. Users with the "Accounting" role will have access to the /payroll website, and users with the "sales" role will have access to the /sales website.

Utopia4-SIM uses the OU attribute of the user object (in eDirectory) to store the department the user is working in. If the content of this attribute is "Accounting", we will assign the user the "accounting" role. If the content is "Sales", we will assign the user the "sales" role.

Requirements

This Open Lab builds on:

  • Open Lab 1: Installing All_on_one - http://www.novell.com/coolsolutions/feature/18441.html
  • Open Lab 2: Setting up test/demo websites - http://www.novell.com/coolsolutions/appnote/18605.html
  • Open Lab 3: Configuring the Identity Server - http://www.novell.com/coolsolutions/appnote/18606.html
  • Open Lab 4: Basic configuration of the Access Gateway - http://www.novell.com/coolsolutions/appnote/18691.html

How Access Manager Handles Protected Resources

Access Manager grants users access to protected resources, based on their roles. This is handled by Authorization Policies. Authorization Policies are executed on the Access Gateway. After creation, they must be activated on the Access Gateway. It is a common mistake, when learning Access Manager, to forget to activate the protected resources.

Users can get roles based on the value of an attribute of the user object, including group membership. This is handled by Roles Policies, which are executed on the Identity Server. After creation, they must be linked to the Identity Server. It is a common mistake, when learning Access Manager, to forget to activate the Roles on the Identity Server.

Creating the Role

Step 1: Enable the Identity Server to pass-through the ou attribute using SAML/Liberty standards. By default, the Identity Server does not "see" this attribute. We have to activate it.

1. In Access Manager, go to Identity Servers > Setup > Custom Attributes (on the right in the menu bar).

2. Under LDAP Attribute Names, click New and type "ou".

3. Click OK.

Step 2: Create the roles.

1. In Access Manager, go to Policies > New.

2. Set the Name as "R_sales_role". It is best practice to use some standardized naming convention for policies, as indicated in Figure 7:

II = Identity Injection polcies
A_= Authorization Policies
FF = From Fill Policies
R_ = Roles
JE = Java agent EJB Authorization policy
JW = Java agent Web Authorization policy

3. In the Type dropdown box, select "Identity Server: Roles".

Figure 1 - Selecting the Type

4. Click OK.

5. Set up Condition Group 1 as follows:

if: New -> LDAP attribute 
LDAP Attribute:	OU
Comparison:	String: Contains Substring
Mode: Case Insensitive
Value: Data Entry Field: sales

6. Click OK twice.

7. Click Apply Changes.

8. In Actions, set the Do Activate Role to "R_sales_role".

Figure 2 - Setting the Do Activate Role

9. Click OK twice.

10. Click Apply Changes.

11. Use the steps above as a guide to set up the Accounting role.

Step 3: Assign the roles to the IDP. Users authenticate to the IDP server, and it is the IDP that assigns the roles.

1. Go to Access Manager > Identity Servers > utopia-IDPa.

2. Click the General tab.

3. Check both roles.

Figure 3 - Selecting the Sales and Accounting roles

4. Click Enable.

5. To update the Identity Servers, go to Access Manager > Identity Servers. Click the Setup tab and select Update Servers.

Step 4: Set up an authorization policy

Now that the Roles are defined, we can work on the Access Control part of RBAC.

1. In Access Manager, go to Policies > New.

2. Set up the Access Control information as follows:

Name: A_Sales_only
Type: Access Gateway: Authorization
Condition Group 1: New
if: Roles for Current User
ComparisonString: Equals
Mode: Case Insensitive

3. Set the Data Entry Field value to "R_sales_role".

Figure 4 - x

4. In Actions, set the Do value to "Permit".

5. Click OK.

6. Under the Rule List, select New (we make a second Rule in the same Policy). Note that the Priority has now changed to 10.

7. Set values as follows:

Conditions : nothing, no conditions
Actions: Do : 
Deny
Deny Message : only for Sales

Note that this second rule is important. If it were not there, then everyone would still have access to the Sales pages. In Access Manager, you have to "block access" rather than "allow access" (as you would on a firewall).

Figure 5 - Rules for "A_Sales_only" policy

8. Click OK twice.

9. Click Apply Changes.

10. Click OK on the pop-up and Update Identity Servers.

11. Use the steps above as a guide to create an Authorization for Accounting.

Step 5: Configure the Protected Resources with RBAC

1. In Access Manager, go to Access Gateways > Edit > Utopia > Utopia.

2. Click the Protected Resources tab.

3. On the Protected Resource List, select New.

4. Set the Name to "Sales Pages".

5. Under URL Path List, replace the "/*" with "/sales/*"

6. Set the Contract to "Name/Password ? Form".

Figure 6 - Setting the Contract

7. Click OK.

8. On the Protected Resource List, click the Authorization tab.

9. Click [None] (on the line of Sales_Pages).

10. Check: "A_Sales_only".

11. Click Enable, then click OK.

12. Use the steps above as a guide to set up Accounting as a protected resource.

Note on the URL Path List on the Protected Resource in the Access Gateway. You can enter /sales* or /sales/*, the result is different. The same for /payroll* and not /payroll/*.

Testing Role-Based Access

1. Remember to apply the changes on the Access Gateways and to Update Servers on the Identity Servers.

2. Browse (from a second user) to www.utopia.com

3. Log in (e.g., ablake/novell). You should get access.

4. Go to www.utopia.com/sales/index.php, and you should get "Only for Sales".

5. Go to www.utopia.com/payroll.html, and you should get "Accounting Only".

If you have linked your setup to the Utopia-Sim-core server, then you can leverage existing users and departments they are in. If you are working in stand-alone mode, then you should create some users first and fill their Department attribute (called "OU" in LDAP) with "Sales" or "Accounting".

For example, Utopia users "fstats" and "jkelley" are in accounting and should get access to the Payroll page. Users "eeuro" and "achung" are in sales (all passwords are "novell"). Note that the sales page requires basic authentication. We will enable single sign-on in the next lab.

Troubleshooting

1. Make sure that all the policies are assigned either to the IDP or to the AG (depending of the type of policy). In Access Manager, go to Policies and check "Used By". This should not be empty (unless you want it to be).

Figure 7 - Viewing Access Manager policies

2. Also check Comparison Mode (case sensitivity) where "LDAP attributes" are compared, or where "Roles of Current User" are compared.

Enhancements

You can update the test website to show not only the Welcome name but also the roles of the current user.

Figure 8 - Showing the Welcome name and user roles

The best way to do this is:

1. Make a copy of the web pages and then modify the copy:

cp /srv/www/htdocs/sales/ /srv/www/htdocs/engineering/ 

2. Edit "srv/www/htdocs/engineering/index.php" according to the example at the end of this document.

The following changes have been made:

<?php  $headers = apache_request_headers();
 	foreach($headers as $header => $value)
{
		if($header == "X-Role")
  {
        echo "<b>Your roles are : $value</b>";
  }

//  echo "$header:$value <br/>\n"; 
}
?></div>

Next, you need to make the logout URL shortcut work.

3. To find the logout URL for your environment, go to Access Manager > Access Gateways > Edit. Then click Reverse Proxy / Authentication.

4. Create a protected resource on the Access Gateway for this new URL.

Now you need to create an Identity Injection policy that injects the roles of current user in the X-Role custom header variable (Identity Injection Policies are explained in the next lab).

Figure 9 - Creating an Identity Injection policy

5. On the "/engineering/*" protected resource, activate the Identity Injection Policy Create.

6. Set up an Identity Injection Policy for this protected resource.

The adapted "engineering/index.php" code is as follows:

<html>
<head>
<title>Digital Airlines Sales</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<!-- ImageReady Slices (digital_airlines_sales.psd) -->
<div style="position:absolute; left:300px; top:42px;color:cc0000;font: 14px arial bold">
<?php
$headers = apache_request_headers();
echo "<b>Welcome to Engineering </b>";
foreach($headers as $header => $value)
{
	$found = false;
	if($header == "X-Name")
  {
		$found = true;
		echo "<b>, $value </b>";
  }
}
?>
<br>
<?php
$headers = apache_request_headers();
foreach($headers as $header => $value)
{
	if($header == "X-Role")
  {
        echo "<b>Your roles are : $value</b>";
  }

//  echo "$header:$value <br/>\n"; 
}

?></div>										
<table id="Table_01" width="747" height="210" border="0" cellpadding="0" cellspacing="0">
	<tr>
		<td>
			<a href="index.php"><img src="images/sales_01.gif" alt="" width="288" height="71" border="0"></a></td>
		<td>
			<a href="http://www.utopia.com:80/nesp/app/plogout"><img src="images/sales_02.gif" width="456" height="71" alt=""></td>
	</tr>
	<tr>
		<td colspan="2">
		<div style="position:absolute; left:30px; top:100px;color:cc0000;font: 24px arial bold">
			<b>Engineering site	  
	</tr>
	<tr>
		<td colspan="2">
			<img src="images/sales_05.gif" width="747" height="35" alt=""></td>
	</tr>
</table>
<!-- End ImageReady Slices -->
</body>
</html>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell