ging / fiware-idm

OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
https://keyrock-fiware.github.io
MIT License
36 stars 80 forks source link

Redundancy of adding role id for each permission under Advanced XACML Rule #280

Open hebbarguru2 opened 2 years ago

hebbarguru2 commented 2 years ago

I'm trying to use Keyrock + Wilma + Authzforce for the security of fiware apis and after creating a new role under a given application and creating new permission for the created role, why is it necessary to add the role id manually in the xacml. Shouldn't the workflow be, for a role, there will a set of permissions and hence role ids are redundant to be set for each permission manually. Example: Application Fiware-test with appid (App-1234)

In the above example if role id is not mentioned in the xacml then any user with a valid token can access the resource mentioned above. But since the permission GetCompany1Entities is under Company1User Roles, shouldn't the permission be automatically assigned to users with Company1User Roles.

SBlechmann commented 2 years ago

Hey there,

I have the same question. When you create a permission you have to state a roleID in the permission. To me, that does not make any sense since the permissions should stand for themselves and roles should rather comprise a set of permissions.