...
From here, those resource assignments are then provisioned to the CoreOne Authentication serviceService. While provisioning, assignment context and other transformations can be applied. With those transformations, application specific information can be added. Whenever a user then authenticates himself for a given application, those provisioned resource assignments are exposed to the application as part of the access token. This is either through the roles
or the roles_with_context
claim. The later is used whenever a resource assignment has a context. For example someone has the right to submit taxes for the company ITSENSE. The company ITSENSE represents the context.
...
Property | Data Type | Example | Description |
---|---|---|---|
| String |
| Identifies the type of the object |
| String |
| The username of the user that holds the permission |
| String |
| The userId of the user that holds the permission |
| String |
| The name of the application to which the permission belongs |
| String |
| Defines the context type as documented here. So it's either |
| String |
| The identifier of the context object. In this case, the internal ID of the organization unit / company. Note that you can transform this data with a context transformation. |
Use Cases
For our use cases we have trustee management app, where a user can add, remove and approve bills. So the application has three rights: add
, remove
and approve
.
Read who
...
has rights for a user
If you would like to read who is representing a specific user (Peter Pan, 17175
), you can perform the following query:.
Code Block |
---|
{authentication service url}/api/permission?contextType=User&contextObjectIdentifier=17175&application=trusteeApp |
Property | Data Type | Example | Description |
---|---|---|---|
| String |
| Set this to |
| String |
| This is dependent on how the user is stored. By default it’s the user id. But if any token transformation has been applied, this might also be the users email or any other unique attribute. |
| String |
| The name of the application to which the permission have to belong |
Example result
Code Block |
---|
[
{
"$type": "iTsense.CoreLogin2.Server.API.Models.PermissionApiDto, iTsense.CoreLogin2.Server",
"username": "peter@pan.de",
"userId": 17175,
"role": "TrusteeApp_AddBill",
"application": "trusteeApp",
"contextType": "User",
"contextObjectIdentifier": "17175"
},
{
"$type": "iTsense.CoreLogin2.Server.API.Models.PermissionApiDto, iTsense.CoreLogin2.Server",
"username": "peter@pan.de",
"userId": 17175,
"role": "TrusteeApp_RemoveBill",
"application": "trusteeApp",
"contextType": "User",
"contextObjectIdentifier": "17175"
},
{
"$type": "iTsense.CoreLogin2.Server.API.Models.PermissionApiDto, iTsense.CoreLogin2.Server",
"username": "peter@pan.de",
"userId": 17175,
"role": "TrusteeApp_ApproveBill",
"application": "trusteeApp",
"contextType": "User",
"contextObjectIdentifier": "17175"
},
{
"$type": "iTsense.CoreLogin2.Server.API.Models.PermissionApiDto, iTsense.CoreLogin2.Server",
"username": "max@dax.ch",
"userId": 17173,
"role": "TrusteeApp_AddBill",
"application": "trusteeApp",
"contextType": "User",
"contextObjectIdentifier": "17175"
},
] |
Notice the first three entries are the permissions the user has himself, and the fourth one is another person who received this right to add bills in Peters name via delegation.
Read who represents a company
If you would like to read who is representing a specific company, you can perform the following query:.
Code Block |
---|
{authentication service url}/api/permission?contextType=OrganizationUnit&contextObjectIdentifier=5445&application=trusteeApp |
Property | Data Type | Example | Description |
---|---|---|---|
| String |
| Set this to |
| String |
| This is dependent on how the organization is stored. By default it’s the organization unit id. But if any token transformation has been applied, this might also be the companies UID or any other unique attribute. |
| String |
| The name of the application to which the permission have to belong |
Example Result
Code Block |
---|
[
{
"$type": "iTsense.CoreLogin2.Server.API.Models.PermissionApiDto, iTsense.CoreLogin2.Server",
"username": "max@dax.ch",
"userId": 17173,
"role": "TrusteeApp_AddBill",
"application": "trusteeApp",
"contextType": "OrganizationUnit",
"contextObjectIdentifier": "5445"
},
{
"$type": "iTsense.CoreLogin2.Server.API.Models.PermissionApiDto, iTsense.CoreLogin2.Server",
"username": "max@dax.ch",
"userId": 17173,
"role": "TrusteeApp_Approver",
"application": "trusteeApp",
"contextType": "OrganizationUnit",
"contextObjectIdentifier": "5445"
}
] |
Read which other entities a user represents
If you would like to read who a user is representing, you can perform the following query.
Code Block |
---|
{authentication service url}/api/permission?application=Trustee Test Application&userSubject=c1s:17173 |
Property | Data Type | Example | Description |
---|---|---|---|
| String |
| The name of the application to which the permission have to belong |
| String |
| The subject of the user. This is usually used when the user is logged in, so the subject can be taken directly from the token. |