How-To: Access Requests & Approvals in WSO2 Identity Server
Coarse-grained Authorization Fused with Approval Workflows
Introduction
“Access requests” and “access approvals” are key features in most access governance solutions. Access requests allow access to resources to be requested for users. Access requests can either be made by administrators on behalf of users or they can be made by the users themselves. The second type of access requests are known as “self-service access requests”. Access approvals refer to the subsequent process of granting access to the requested resources. Access approvals can either be automated or require manual administrative action.
Though WSO2 Identity Server doesn’t advertise “access requests” and “access approvals” as first-class features, it possesses a powerful authorization framework that can do coarse-grained authorization for applications and a very extensible workflow management capability.
In this post, I will be discussing how WSO2 Identity Server can support access requests and access approvals for applications by fusing the above two powerful capabilities it possesses.
Requirements
The problem of “access requests” and “access approvals” can be broken down into the following requirements:
- Ability to enforce a coarse-grained authorization policy for a given application, that prevents all users from getting access by default.
- Ability to express a coarse-grained authorization policy for a given application, that selectively allows users to access the application based on a condition.
- Ability to define the condition in the authorization policy based on a variable.
- Ability to modify the value of the variable.
- Engage an approval workflow for the modification of the variable value.
Solution
Requirements 1–3 can be solved using a coarse-grained authorization policy in XACML 3.0, that provides role-based authorization for log-in [1].
Sample XACML 3.0 Policy
The following policy enforces coarse-grained authorization for the “Pickup-Manager” [1] application based on “pickup-manager-log-in” role.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="pickup_manager_coarse_grained_authz_policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>This is a coarse-grained authorization policy for Pickup-Manager. This policy authorizes users in pickup-manager-log-in role to log-in to Pickup-Manager. All other users are denied log-in to Pickup-Manager</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Pickup-Manager</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_by_roles">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">pickup-manager-log-in</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy>
When the above policy is enforced, if you try to log-in using an account that is not in the “pickup-manager-log-in” role, you would receive the following an authorization failure.
If the variable is chosen as role, then requirement 4 can be easily catered either via management console or SCIM 2.0 Groups endpoint.
Requirement 5 can be solved by engaging a multi-level/multi-option approval workflow for the user role assignment operation [2,3,4].
The level of access approval capability that I’ve described here, is what you would get out-of-the-box in WSO2 Identity Server as of the latest version — 5.10.0. However, if you are interested in getting further customization capabilities for the workflow, then you could explore the option of integration WSO2 Identity Server with an externally deployed WSO2 Business Process Server (BPS) [5].
References
[1] https://is.docs.wso2.com/en/5.10.0/learn/configuring-oauth2-openid-connect-single-sign-on/
[3] https://is.docs.wso2.com/en/5.10.0/learn/configuring-access-control-policy-for-a-service-provider/
[4] https://medium.com/@johann_nallathamby/wso2-iam-workflows-ee5914868a43
[5] https://is.docs.wso2.com/en/latest/learn/workflow-management/
[6] http://cdwijayarathna.blogspot.com/2016/04/making-use-of-wso2-identity-servers.html
[7] https://www.yenlo.com/blog/advanced-bpmn-workflows-in-wso2-identity-server