AdminUI Cedarling Authorization Design
This document defines a Cedar-based fine-grained authorization architecture for the Admin UI. It is modeled on the Gluu AdminUI Cedarling Authorization Design and expands it into a practical implementation plan: schema, roles, resources, policy patterns, evaluation flows, and examples.
graph LR
%% Style definitions
classDef green fill:#d5f0d5,stroke:#000,stroke-width:1px;
classDef yellow fill:#fff2cc,stroke:#000,stroke-width:1px;
classDef blue fill:#d9e8fb,stroke:#000,stroke-width:1px;
classDef orange fill:#f9d5b3,stroke:#000,stroke-width:1px;
%% Top level actors
AUI -.->|Access APIs| CAB
U["👥 Users"] -.->|Access components| AUI
AD["👤 Admin"] -.->|Enable cedarling<br/>Add Policy store URL| CCP
AD -.->|Manage policy store<br/>edit/delete schema| PA
%% Admin UI Frontend
subgraph AUI[Admin UI Frontend]
CCP[Cedarling Config Page]
CC[Cedarling Client<br/>- authz user request]
end
class AUI green
%% Config API Backend
subgraph CAB[Config API Backend]
CCB[Cedarling Client<br/>- authz user request]
end
class CAB yellow
%% Policy Authoring
subgraph PA[Policy Authoring]
ALPD[🧩 Agama Lab Policy Designer]
GHR[💾 GitHub Repository]
ALPD -.-> GHR
end
class PA blue
%% Lock
L["🔒 Lock"]
class L orange
%% Connections between UI & Backend
CC -.->|Send Audit data| L
CCB -.->|Send Audit Data| L
%% Policy store fetch
CCB -.->|Fetch policy store| GHR
CC -.->|Fetch policy store| GHR
https://github.com/JanssenProject/jans/wiki/Protect-Config-API-using-Cedarling
These are the kinds of principles we can add to our schema and policy store:
- Admin: full control across all system settings, manage roles and permissions
- Identity Manager: manages user lifecycle (create/update/disable users, set passwords, manage settings for clients, scripts, SCIM, FIDO, SAML)
- Security Auditor: read access to logs, cannot modify critical config
- Developer: create & manage OAuth clients, redirect URIs, client secrets for App
- Support Staff: Limited access, reset password, unlock accounts
- End User: Standard user who can manage their own credentials
Below are resources with parent group and sub resources.
- System and monitoring
- Dashboard
- Health
- License
- MAU
- Settings
- Security
- Webhooks
- Assests
- AuditLogs
- AuthServer and configuration
- Clients
- Scopes
- Keys
- AuthServerProperties
- Logging
- SSA
- Authn
- ConfigAPIPropeties
- Sesisons
- Identity and Access
- Users
- Scripts
- UserClaims
- Service
- Cache
- Persistance
- SMTP
- SCIM
- FIDO
- SAML
- Lock
- Profile
addupdatedeleteviewlockunlockreset_password
Admin can manage Auth server config
@id("AdminCanManageAuthServerConfiguration")
permit(
principal in Gluu::Flex::AdminUI::Role::"admin",
action in [Gluu::Flex::AdminUI::Action::"add",
Gluu::Flex::AdminUI::Action::"update",
Gluu::Flex::AdminUI::Action::"view",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::AuthServerConfigurationResource
);
Admin can manage User Indetity and Access
@id("AdminCanManageUserIdentityAndAccess")
permit(
principal in Gluu::Flex::AdminUI::Role::"admin",
action in [Gluu::Flex::AdminUI::Action::"add",
Gluu::Flex::AdminUI::Action::"update",
Gluu::Flex::AdminUI::Action::"view",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::IdentityAccessResource
);
Admin can manage system monitoring
@id("AdminCanManageSystemMonitoring")
permit(
principal in Gluu::Flex::AdminUI::Role::"admin",
action in [Gluu::Flex::AdminUI::Action::"add",
Gluu::Flex::AdminUI::Action::"update",
Gluu::Flex::AdminUI::Action::"view",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::SystemAndMonitoringResource
);
Admin can manage services
@id("AdminCanManageService")
permit(
principal in Gluu::Flex::AdminUI::Role::"admin",
action in [Gluu::Flex::AdminUI::Action::"add",
Gluu::Flex::AdminUI::Action::"update",
Gluu::Flex::AdminUI::Action::"view",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::ServiceResource
);
Manager can manage OAuth clients
@id("ManagerCanManageClients")
permit(
principal in Gluu::Flex::AdminUI::Role::"manager",
action in [Gluu::Flex::AdminUI::Action::"add",
Gluu::Flex::AdminUI::Action::"update",
Gluu::Flex::AdminUI::Action::"view",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::ClientsResource
);
Manager can manage Custom Scripts
@id("ManagerCanManageCustomScripts")
permit(
principal in Gluu::Flex::AdminUI::Role::"manager",
action in [Gluu::Flex::AdminUI::Action::"add",
Gluu::Flex::AdminUI::Action::"update",
Gluu::Flex::AdminUI::Action::"view",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::ScriptsResource
);
Auditor can access logs and monitor resources
@id("AuditorCanManageSystemMonitoring")
permit(
principal in Gluu::Flex::AdminUI::Role::"auditor",
action in [Gluu::Flex::AdminUI::Action::"add",
Gluu::Flex::AdminUI::Action::"update",
Gluu::Flex::AdminUI::Action::"view",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::SystemAndMonitoringResource
);
Develoepr can manage OAuth clients
@id("DeveloperCanManageClients")
permit(
principal in Gluu::Flex::AdminUI::Role::"developer",
action in [Gluu::Flex::AdminUI::Action::"add",
Gluu::Flex::AdminUI::Action::"update",
Gluu::Flex::AdminUI::Action::"view",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::ClientsResource
);
Support Staff can lock/unlock user
@id("SupportStaffCanManageClients")
permit(
principal in Gluu::Flex::AdminUI::Role::"supportstaff",
action in [Gluu::Flex::AdminUI::Action::"lock",
Gluu::Flex::AdminUI::Action::"unlock"],
resource is Gluu::Flex::AdminUI::UsersResource
);
End user can manage profile
@id("EndUserCanManageClients")
permit(
principal in Gluu::Flex::AdminUI::Role::"enduser",
action in [Gluu::Flex::AdminUI::Action::"update"],
resource is Gluu::Flex::AdminUI::ProfileResource
);
We will provide a fully configured Cedarling project with above above-defined schema, principals, roles, actions, and policies. The user can edit it as per their requirments.
We can use jans-lock in here. We can use this same UI to configure jans-lock.
