Authorization permission checks in IBM Security Verify Access for Web

Authorization permission checks

The table in this section describes administrative operations and corresponding authorization permissions. The information in the table assumes that:

No ACLs are added on delegation protected objects under /Management/Groups without taking advantage of delegated user and group management.
All delegation protected objects under /Management/Groups inherit the same ACL that /Management/Groups uses.
We do not have to verify Whether each group has protected objects associated with it. Verifying /Management/Groups is sufficient.
adminid as the account that is requesting administration operation.

Administrative operations Permission Verification of permissions

RgyRegistry.createUser({groups}) “N” If no group exists, check permission on /Management/Users. Otherwise, check permission on /Management/Groups.

RgyUser.importNativeUser({group}) “N” If the specified group {group} does not exist check the permission on /Management/Users. Otherwise, check the permission on /Management/Groups.

RgyUser.attributeAdd() RgyUser.attributeDelete()
RgyUser.AttributeReplace() for user {userid} for all attributes except: secAcctValid secPwdValid
“m” Check permission on /Management/Groups if not permitted. If the user does not have group membership, deny access and check permission on /Management/Groups.

RgyUser.attributeAdd() RgyUser.attributeDelete()
RgyUser.AttributeReplace() for user {userid} for attributes: secAcctValid secPwdValid
“m” If the {userid} is the same as {adminid} deny access. Otherwise, check permission on /Management/Users. If {userid} has no group membership, deny access. Otherwise, check permission on /Management/Groups.

RgyUser.setPassword() for user {userid} “W” If the {userid} is the same as {adminid} permit access. Otherwise, check permissions on /Management/Users. If {userid} has no group membership, deny access. Otherwise, check permission on /Management/Groups.

RgyRegistry.deleteUser({userid}) “d” If the {userid} is the same as {adminid} deny access. Otherwise, check permissions on /Management/Users. If {userid} has no group membership, deny access. otherwise, check permission on /Management/Groups.

RgyUser.listGroups() RgyUser.listNativeGroups() Permission check that is performed for RgyRegistry.getUser() was sufficient. Permit access.

RgyRegistry.getUser({userid}) “v” If the {userid} is the same as {adminid} permit access. Otherwise, check permission on /Management/Users. If {userid} does not belong to a group, deny permission. Otherwise, check permission on /Management/Users.

RgyRegistry.getNativeUser({dn}) “v” Map the distinguished name {dn} to the group {groupid}. If mapping does not exists, permit. If a mapping exists, then check permission on /Management/Users. If {userid} does not have any group, check permission on the /Management/Users.

RgyUser.getAttributeValues() RgyUser.getOneAttributeValue() for all non-policy attributes. Permission check done for RgyRegistry.getUser() was sufficient. Permit access.

RgyRegistry.listUsers() RgyRegistry.listNativeUsers() There are delegation effects on the operation results in the follow-up table.

RgyRegistry.createGroup() “N” Check permission on /Management/Groups.

RgyRegistry.deleteGroup() “d” Check permission on /Management/Groups.

RgyGroup.importNativeGroup() “N” Check permission on /Management/Groups.

RgyRegistry.listGroups() RgyRegistry.listNativeGroups() Permit (there are delegation effects on the operation results in the follow-up table).

RgyGroup.addMembers() “A” Check permission on /Management/Groups.

group modify {groupid} description “m” Check permission on /Management/Groups.

RgyGroup.removeMembers() “A” Check permission on /Management/Groups.

RgyRegistry.getGroup() “v” Check permission on /Management/Groups.

RgyRegistry.getNativeGroup({dn}) “v”
Map the distinguished name {dn} to the group {groupid}.
If no mapping exists, permit.
Otherwise, check permission on /Management/Groups.

RgyGroup.listMemberIds()
RgyGroup.listMemberNativeIds()
“v” Check permission on /Management/Groups.

RgyUser.getAttributeValues()
RgyUser.getOneAttributeValue() for all policy attributes.

This differs from the permission check performed by the regular Security Verify Access API.
The regular Security Verify Access API checks for the permission IVACTION_VIEW “v” on /Management/Policy.
This API does not perform any additional permission checks. It completes permission check when fetching the user using RgyRegistry.getUser() method.

RgyUser.attributeAdd()RgyUser.attributeDelete()
RgyUser.AttributeReplace() for all policy attributes.
“m” Check permission on /Management/Groups.

When we use the Registry Direct Java API, we must fetch the user before we modify the user. Assign view permission (v) and modify permission (m ) for the administrator to modify either a user or a group.
Parent topic: Authorization

Administrative operations	Permission	Verification of permissions
RgyRegistry.createUser({groups})	“N”	If no group exists, check permission on /Management/Users. Otherwise, check permission on /Management/Groups.
RgyUser.importNativeUser({group})	“N”	If the specified group {group} does not exist check the permission on /Management/Users. Otherwise, check the permission on /Management/Groups.
RgyUser.attributeAdd() RgyUser.attributeDelete() RgyUser.AttributeReplace() for user {userid} for all attributes except: secAcctValid secPwdValid	“m”	Check permission on /Management/Groups if not permitted. If the user does not have group membership, deny access and check permission on /Management/Groups.
RgyUser.attributeAdd() RgyUser.attributeDelete() RgyUser.AttributeReplace() for user {userid} for attributes: secAcctValid secPwdValid	“m”	If the {userid} is the same as {adminid} deny access. Otherwise, check permission on /Management/Users. If {userid} has no group membership, deny access. Otherwise, check permission on /Management/Groups.
RgyUser.setPassword() for user {userid}	“W”	If the {userid} is the same as {adminid} permit access. Otherwise, check permissions on /Management/Users. If {userid} has no group membership, deny access. Otherwise, check permission on /Management/Groups.
RgyRegistry.deleteUser({userid})	“d”	If the {userid} is the same as {adminid} deny access. Otherwise, check permissions on /Management/Users. If {userid} has no group membership, deny access. otherwise, check permission on /Management/Groups.
RgyUser.listGroups() RgyUser.listNativeGroups()		Permission check that is performed for RgyRegistry.getUser() was sufficient. Permit access.
RgyRegistry.getUser({userid})	“v”	If the {userid} is the same as {adminid} permit access. Otherwise, check permission on /Management/Users. If {userid} does not belong to a group, deny permission. Otherwise, check permission on /Management/Users.
RgyRegistry.getNativeUser({dn})	“v”	Map the distinguished name {dn} to the group {groupid}. If mapping does not exists, permit. If a mapping exists, then check permission on /Management/Users. If {userid} does not have any group, check permission on the /Management/Users.
RgyUser.getAttributeValues() RgyUser.getOneAttributeValue() for all non-policy attributes.		Permission check done for RgyRegistry.getUser() was sufficient. Permit access.
RgyRegistry.listUsers() RgyRegistry.listNativeUsers()		There are delegation effects on the operation results in the follow-up table.
RgyRegistry.createGroup()	“N”	Check permission on /Management/Groups.
RgyRegistry.deleteGroup()	“d”	Check permission on /Management/Groups.
RgyGroup.importNativeGroup()	“N”	Check permission on /Management/Groups.
RgyRegistry.listGroups() RgyRegistry.listNativeGroups()		Permit (there are delegation effects on the operation results in the follow-up table).
RgyGroup.addMembers()	“A”	Check permission on /Management/Groups.
group modify {groupid} description	“m”	Check permission on /Management/Groups.
RgyGroup.removeMembers()	“A”	Check permission on /Management/Groups.
RgyRegistry.getGroup()	“v”	Check permission on /Management/Groups.
RgyRegistry.getNativeGroup({dn})	“v”	Map the distinguished name {dn} to the group {groupid}. If no mapping exists, permit. Otherwise, check permission on /Management/Groups.
RgyGroup.listMemberIds() RgyGroup.listMemberNativeIds()	“v”	Check permission on /Management/Groups.
RgyUser.getAttributeValues() RgyUser.getOneAttributeValue() for all policy attributes.		This differs from the permission check performed by the regular Security Verify Access API. The regular Security Verify Access API checks for the permission IVACTION_VIEW “v” on /Management/Policy. This API does not perform any additional permission checks. It completes permission check when fetching the user using RgyRegistry.getUser() method.
RgyUser.attributeAdd()RgyUser.attributeDelete() RgyUser.AttributeReplace() for all policy attributes.	“m”	Check permission on /Management/Groups.