Cedarling integration in Admin UI
We will maintain following resource:scopes mapping in adminui_resource_scopes_mapping table in database.
TABLE: adminui_resource_scopes_mapping
Now, suppose we have following below policies in policy-store, we will write logic in Update_token script of admin-ui :
- Get all the policies by role (e.g.
auditor) - Get the actions and resources other those policies. Here in the below example the actions of a policy are READ, WRITE, DELETE and resource is
dashboard. - On updating the policy-store, the backend will refer
adminui_resource_scopes_mappingtable and pull and aggregate the scopes matching with READ, WRITE, DELETE actions anddashboardresource. - In this way the script will aggregate all the scopes for each role, matching with actions and resource of each and every policy in policy-store. This role-to-scopes mapping will be saved in Admin UI configuration (persistence).
- The update token script will refer this role-to-scopes mapping to add the required scopes into the access_token based on the role of the logged-in user.
Sample Policies
@id("AdminCanManageAuthServerConfiguration")
permit (
principal in Gluu::Flex::AdminUI::Role::"admin",
action in [Gluu::Flex::AdminUI::Action::"read",
Gluu::Flex::AdminUI::Action::"write",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::Resources::AuthServerAndConfiguration
);
@id("AdminCanManageUserIdentityAndAccess")
permit (
principal in Gluu::Flex::AdminUI::Role::"admin",
action in [Gluu::Flex::AdminUI::Action::"read",
Gluu::Flex::AdminUI::Action::"write",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::Resources::IdentityAndAccess
);
@id("AdminCanManageSystemMonitoring")
permit (
principal in Gluu::Flex::AdminUI::Role::"admin",
action in [Gluu::Flex::AdminUI::Action::"read",
Gluu::Flex::AdminUI::Action::"write",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::Resources::SystemAndMonitoring
);
@id("AdminCanManageService")
permit (
principal in Gluu::Flex::AdminUI::Role::"admin",
action in [Gluu::Flex::AdminUI::Action::"read",
Gluu::Flex::AdminUI::Action::"write",
Gluu::Flex::AdminUI::Action::"delete"],
resource is Gluu::Flex::AdminUI::Resources::Service
);
// few sample policies without resource grouping
@id("AuditorCanManageDashboard")
permit(
principal in Gluu::Flex::AdminUI::Role::"auditor",
action in [Gluu::Flex::AdminUI::Action::"Read", Gluu::Flex::AdminUI::Action::"Write", Gluu::Flex::AdminUI::Action::"Delete"],
resource is Gluu::Flex::AdminUI::Resources::dashboard
);
@id("AuditorCanManageHealth")
permit(
principal in Gluu::Flex::AdminUI::Role::"auditor",
action in [Gluu::Flex::AdminUI::Action::"Read", Gluu::Flex::AdminUI::Action::"Write", Gluu::Flex::AdminUI::Action::"Delete"],
resource is Gluu::Flex::AdminUI::Resources::health
);
@id("AuditorCanReadLicense")
permit(
principal in Gluu::Flex::AdminUI::Role::"auditor",
action in [Gluu::Flex::AdminUI::Action::"Read"],
resource is Gluu::Flex::AdminUI::Resources::license
);
@id("AuditorCanReadMAU")
permit(
principal in Gluu::Flex::AdminUI::Role::"auditor",
action in [Gluu::Flex::AdminUI::Action::"Read"],
resource is Gluu::Flex::AdminUI::Resources::mau
);
@id("AuditorCanReadSettings")
permit(
principal in Gluu::Flex::AdminUI::Role::"auditor",
action in [Gluu::Flex::AdminUI::Action::"Read"],
resource is Gluu::Flex::AdminUI::Resources::settings
);
@id("AuditorCanReadWebhooks")
permit(
principal in Gluu::Flex::AdminUI::Role::"auditor",
action in [Gluu::Flex::AdminUI::Action::"Read"],
resource is Gluu::Flex::AdminUI::Resources::webhooks
);
@id("AuditorCanReadAssets")
permit(
principal in Gluu::Flex::AdminUI::Role::"auditor",
action in [Gluu::Flex::AdminUI::Action::"Read"],
resource is Gluu::Flex::AdminUI::Resources::assets
);
@id("AuditorCanReadAuditLogs")
permit(
principal in Gluu::Flex::AdminUI::Role::"auditor",
action in [Gluu::Flex::AdminUI::Action::"Read"],
resource is Gluu::Flex::AdminUI::Resources::auditlogs
);
DB scripts of **adminui_resource_scopes_mapping** table
-- ==============================================
-- Table: adminUIResourceScopesMapping
-- ==============================================
CREATE TABLE IF NOT EXISTS "adminUIResourceScopesMapping" (
doc_id VARCHAR(64),
"objectClass" VARCHAR(48),
"inum" VARCHAR(64),
dn VARCHAR(256),
resource VARCHAR(100) NOT NULL,
"accessType" VARCHAR(20) NOT NULL,
scopes TEXT[] NOT NULL
);
CREATE INDEX IF NOT EXISTS idx_adminui_resource_access_type
ON "adminUIResourceScopesMapping" (resource, "accessType");
-- ==============================================
-- Insert Records (UUIDs are static)
-- ==============================================
INSERT INTO "adminUIResourceScopesMapping" (doc_id, inum, dn, "objectClass", resource, "accessType", scopes) VALUES
('f9c23f63-184a-4777-a01c-ea928eb96054', 'f9c23f63-184a-4777-a01c-ea928eb96054', 'inum=f9c23f63-184a-4777-a01c-ea928eb96054,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'dashboard', 'READ', ARRAY['https://jans.io/oauth/config/stats.readonly','jans_stat','https://jans.io/oauth/config/data.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('491408e9-8870-45b0-88cc-86455830c3d7', '491408e9-8870-45b0-88cc-86455830c3d7', 'inum=491408e9-8870-45b0-88cc-86455830c3d7,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'license', 'READ', ARRAY['https://jans.io/oauth/jans-auth-server/config/adminui/license.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('4a273022-268a-4bd9-b173-7ca8e79fc906', '4a273022-268a-4bd9-b173-7ca8e79fc906', 'inum=4a273022-268a-4bd9-b173-7ca8e79fc906,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'license', 'WRITE', ARRAY['https://jans.io/oauth/jans-auth-server/config/adminui/license.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('57eef8f1-93d5-43b7-b859-de6f59572ced', '57eef8f1-93d5-43b7-b859-de6f59572ced', 'inum=57eef8f1-93d5-43b7-b859-de6f59572ced,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'mau', 'READ', ARRAY['https://jans.io/oauth/config/stats.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('000b7e87-5168-4c21-85ad-e717cafc8e8b', '000b7e87-5168-4c21-85ad-e717cafc8e8b', 'inum=000b7e87-5168-4c21-85ad-e717cafc8e8b,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'settings', 'READ', ARRAY['https://jans.io/oauth/config/scripts.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('10c51b99-af6d-467d-a66c-991c4af9779b', '10c51b99-af6d-467d-a66c-991c4af9779b', 'inum=10c51b99-af6d-467d-a66c-991c4af9779b,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'settings', 'WRITE', ARRAY['https://jans.io/oauth/jans-auth-server/config/adminui/properties.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('b5525233-4c64-41c1-b00b-91a334bf57cb', 'b5525233-4c64-41c1-b00b-91a334bf57cb', 'inum=b5525233-4c64-41c1-b00b-91a334bf57cb,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'webhooks', 'READ', ARRAY['https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('4140d9e7-021f-4a5f-8054-838a8e54b2da', '4140d9e7-021f-4a5f-8054-838a8e54b2da', 'inum=4140d9e7-021f-4a5f-8054-838a8e54b2da,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'webhooks', 'WRITE', ARRAY['https://jans.io/oauth/jans-auth-server/config/adminui/webhook.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('e4dcafe6-786f-4a7f-aa42-3b9d64fd792c', 'e4dcafe6-786f-4a7f-aa42-3b9d64fd792c', 'inum=e4dcafe6-786f-4a7f-aa42-3b9d64fd792c,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'webhooks', 'DELETE', ARRAY['https://jans.io/oauth/jans-auth-server/config/adminui/webhook.delete','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('6b3fa54a-6b39-4d6a-8af6-f775084ff3e2', '6b3fa54a-6b39-4d6a-8af6-f775084ff3e2', 'inum=6b3fa54a-6b39-4d6a-8af6-f775084ff3e2,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'assets', 'READ', ARRAY['https://jans.io/oauth/config/jans_asset-read','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('014fe962-0fea-49c4-9798-eb51ce80204f', '014fe962-0fea-49c4-9798-eb51ce80204f', 'inum=014fe962-0fea-49c4-9798-eb51ce80204f,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'assets', 'WRITE', ARRAY['https://jans.io/oauth/config/jans_asset-write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('b9ff6c69-4fc7-4a23-8ba7-7a250d80ea11', 'b9ff6c69-4fc7-4a23-8ba7-7a250d80ea11', 'inum=b9ff6c69-4fc7-4a23-8ba7-7a250d80ea11,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'assets', 'DELETE', ARRAY['https://jans.io/oauth/config/jans_asset-delete','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('d9b5076c-9678-4d7e-8830-89d125cf2e74', 'd9b5076c-9678-4d7e-8830-89d125cf2e74', 'inum=d9b5076c-9678-4d7e-8830-89d125cf2e74,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'auditLogs', 'READ', ARRAY['https://jans.io/oauth/config/logging.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('35ed86f5-fde4-4502-aff3-c0250b841f33', '35ed86f5-fde4-4502-aff3-c0250b841f33', 'inum=35ed86f5-fde4-4502-aff3-c0250b841f33,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'clients', 'READ', ARRAY['https://jans.io/oauth/config/openid/clients.readonly','https://jans.io/oauth/config/scopes.readonly','https://jans.io/oauth/config/scripts.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('fbf1e29b-369c-4fc9-8ab6-197ee9ed257c', 'fbf1e29b-369c-4fc9-8ab6-197ee9ed257c', 'inum=fbf1e29b-369c-4fc9-8ab6-197ee9ed257c,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'clients', 'READ', ARRAY['https://jans.io/oauth/config/openid/clients.readonly','https://jans.io/oauth/config/scopes.readonly','https://jans.io/oauth/config/scripts.readonly','https://jans.io/oauth/jans-auth-server/config/properties.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('7d9558b3-8bc3-4727-96c9-67afe41e833c', '7d9558b3-8bc3-4727-96c9-67afe41e833c', 'inum=7d9558b3-8bc3-4727-96c9-67afe41e833c,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'clients', 'WRITE', ARRAY['https://jans.io/oauth/config/openid/clients.write','https://jans.io/oauth/config/scopes.readonly','https://jans.io/oauth/config/scripts.readonly','https://jans.io/oauth/jans-auth-server/config/properties.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('77aa2e0e-a67d-4f90-a28c-a9b6077c3a7d', '77aa2e0e-a67d-4f90-a28c-a9b6077c3a7d', 'inum=77aa2e0e-a67d-4f90-a28c-a9b6077c3a7d,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'clients', 'DELETE', ARRAY['https://jans.io/oauth/config/openid/clients.delete','https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('8d8e1d19-2ab8-4e2f-ab81-9ee7ed36f9e3', '8d8e1d19-2ab8-4e2f-ab81-9ee7ed36f9e3', 'inum=8d8e1d19-2ab8-4e2f-ab81-9ee7ed36f9e3,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'scopes', 'READ', ARRAY['https://jans.io/oauth/config/scopes.readonly','https://jans.io/oauth/config/attributes.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('07ec2f0c-2426-4d00-8cb7-9dea43bce3e0', '07ec2f0c-2426-4d00-8cb7-9dea43bce3e0', 'inum=07ec2f0c-2426-4d00-8cb7-9dea43bce3e0,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'scopes', 'WRITE', ARRAY['https://jans.io/oauth/config/scopes.write','https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('3a0c4bb3-46ab-425f-bbe4-0b0515c221e1', '3a0c4bb3-46ab-425f-bbe4-0b0515c221e1', 'inum=3a0c4bb3-46ab-425f-bbe4-0b0515c221e1,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'scopes', 'DELETE', ARRAY['https://jans.io/oauth/config/scopes.delete','https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('12849fe5-e4c3-437f-94bc-d24848e275bb', '12849fe5-e4c3-437f-94bc-d24848e275bb', 'inum=12849fe5-e4c3-437f-94bc-d24848e275bb,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'keys', 'READ', ARRAY['https://jans.io/oauth/config/jwks.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('f614a842-f887-43af-a0bb-708976449610', 'f614a842-f887-43af-a0bb-708976449610', 'inum=f614a842-f887-43af-a0bb-708976449610,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'authenticationServerConfiguration', 'READ', ARRAY['https://jans.io/oauth/jans-auth-server/config/properties.readonly','https://jans.io/oauth/config/acrs.readonly','https://jans.io/oauth/config/scripts.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('d8c3bc28-054b-4906-9819-1a0db8030b37', 'd8c3bc28-054b-4906-9819-1a0db8030b37', 'inum=d8c3bc28-054b-4906-9819-1a0db8030b37,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'authenticationServerConfiguration', 'WRITE', ARRAY['https://jans.io/oauth/jans-auth-server/config/properties.write','https://jans.io/oauth/config/acrs.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('8888368f-f108-4606-9834-dd331c527866', '8888368f-f108-4606-9834-dd331c527866', 'inum=8888368f-f108-4606-9834-dd331c527866,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'logging', 'READ', ARRAY['https://jans.io/oauth/config/logging.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('52133aed-b1f4-46a0-824d-761148e7866d', '52133aed-b1f4-46a0-824d-761148e7866d', 'inum=52133aed-b1f4-46a0-824d-761148e7866d,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'logging', 'WRITE', ARRAY['https://jans.io/oauth/config/logging.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('eb61570d-1b5c-4433-84d7-276d210194d4', 'eb61570d-1b5c-4433-84d7-276d210194d4', 'inum=eb61570d-1b5c-4433-84d7-276d210194d4,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'authentication', 'READ', ARRAY['https://jans.io/oauth/config/database/ldap.readonly','https://jans.io/oauth/config/scripts.readonly','https://jans.io/oauth/config/acrs.readonly','https://jans.io/oauth/jans-auth-server/config/properties.readonly','https://jans.io/oauth/config/agama.readonly','https://jans.io/oauth/config/agama-repo.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('1eee190b-c2fb-455c-8ef4-0c22fde9f73a', '1eee190b-c2fb-455c-8ef4-0c22fde9f73a', 'inum=1eee190b-c2fb-455c-8ef4-0c22fde9f73a,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'authentication', 'WRITE', ARRAY['https://jans.io/oauth/config/database/ldap.write','https://jans.io/oauth/jans-auth-server/config/properties.write','https://jans.io/oauth/config/agama.write','https://jans.io/oauth/config/agama-repo.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('1b64711b-9935-49e9-be27-35f92e40fac3', '1b64711b-9935-49e9-be27-35f92e40fac3', 'inum=1b64711b-9935-49e9-be27-35f92e40fac3,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'configApiConfiguration', 'READ', ARRAY['https://jans.io/oauth/config/properties.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('87a66767-b740-4357-acb3-d37299f7d760', '87a66767-b740-4357-acb3-d37299f7d760', 'inum=87a66767-b740-4357-acb3-d37299f7d760,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'configApiConfiguration', 'WRITE', ARRAY['https://jans.io/oauth/config/properties.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('7ceb0830-8b3d-455b-ba03-28cd4e7e9385', '7ceb0830-8b3d-455b-ba03-28cd4e7e9385', 'inum=7ceb0830-8b3d-455b-ba03-28cd4e7e9385,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'session', 'READ', ARRAY['https://jans.io/oauth/jans-auth-server/session.readonly','revoke_session','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('26c54ba2-0adb-47d1-b64d-5266d75ef6d6', '26c54ba2-0adb-47d1-b64d-5266d75ef6d6', 'inum=26c54ba2-0adb-47d1-b64d-5266d75ef6d6,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'session', 'DELETE', ARRAY['https://jans.io/oauth/jans-auth-server/session.delete','revoke_session','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('37488733-1b14-4648-a270-2c0f4dec2813', '37488733-1b14-4648-a270-2c0f4dec2813', 'inum=37488733-1b14-4648-a270-2c0f4dec2813,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'users', 'READ', ARRAY['https://jans.io/oauth/config/user.readonly','https://jans.io/oauth/config/attributes.readonly','https://jans.io/oauth/jans-auth-server/config/properties.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('b4952238-fae5-4d62-bfed-8a8e343fdffc', 'b4952238-fae5-4d62-bfed-8a8e343fdffc', 'inum=b4952238-fae5-4d62-bfed-8a8e343fdffc,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'users', 'WRITE', ARRAY['https://jans.io/oauth/config/user.write','https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('3f2d534e-13e3-46a5-8062-de37d7c5da75', '3f2d534e-13e3-46a5-8062-de37d7c5da75', 'inum=3f2d534e-13e3-46a5-8062-de37d7c5da75,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'users', 'DELETE', ARRAY['https://jans.io/oauth/config/user.delete','https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('c938bb27-ba6a-41f5-9506-86746e8c92bb', 'c938bb27-ba6a-41f5-9506-86746e8c92bb', 'inum=c938bb27-ba6a-41f5-9506-86746e8c92bb,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'scripts', 'READ', ARRAY['https://jans.io/oauth/config/scripts.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('9c8e3351-8ac9-4bb9-8548-f63d7f1a56eb', '9c8e3351-8ac9-4bb9-8548-f63d7f1a56eb', 'inum=9c8e3351-8ac9-4bb9-8548-f63d7f1a56eb,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'scripts', 'WRITE', ARRAY['https://jans.io/oauth/config/scripts.write','https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('3da24565-7d2b-4bc4-9f33-9b4720741fb1', '3da24565-7d2b-4bc4-9f33-9b4720741fb1', 'inum=3da24565-7d2b-4bc4-9f33-9b4720741fb1,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'scripts', 'DELETE', ARRAY['https://jans.io/oauth/config/scripts.delete','https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('c3359124-ee0b-4df6-9290-0f6a6837808c', 'c3359124-ee0b-4df6-9290-0f6a6837808c', 'inum=c3359124-ee0b-4df6-9290-0f6a6837808c,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'attributes', 'READ', ARRAY['https://jans.io/oauth/config/attributes.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('a9c5bae2-7e18-4dc4-904b-b1b756fc9807', 'a9c5bae2-7e18-4dc4-904b-b1b756fc9807', 'inum=a9c5bae2-7e18-4dc4-904b-b1b756fc9807,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'attributes', 'WRITE', ARRAY['https://jans.io/oauth/config/attributes.write','https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('e2532e04-f656-455e-83b6-10c1e2ab24bb', 'e2532e04-f656-455e-83b6-10c1e2ab24bb', 'inum=e2532e04-f656-455e-83b6-10c1e2ab24bb,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'attributes', 'DELETE', ARRAY['https://jans.io/oauth/config/attributes.delete','https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('45e1e36f-6225-4701-93a4-33b5afac2ed8', '45e1e36f-6225-4701-93a4-33b5afac2ed8', 'inum=45e1e36f-6225-4701-93a4-33b5afac2ed8,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'cache', 'READ', ARRAY['https://jans.io/oauth/config/cache.readonly']),
('766e21e3-ea1c-4421-8b1a-8c7cfeb20699', '766e21e3-ea1c-4421-8b1a-8c7cfeb20699', 'inum=766e21e3-ea1c-4421-8b1a-8c7cfeb20699,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'cache', 'WRITE', ARRAY['https://jans.io/oauth/config/cache.write']),
('a315242a-2eac-42cf-8d67-63072f1465bf', 'a315242a-2eac-42cf-8d67-63072f1465bf', 'inum=a315242a-2eac-42cf-8d67-63072f1465bf,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'persistence', 'READ', ARRAY['https://jans.io/oauth/jans-auth-server/config/properties.readonly']),
('e9dea5be-d659-49cf-88aa-38e240e37aa6', 'e9dea5be-d659-49cf-88aa-38e240e37aa6', 'inum=e9dea5be-d659-49cf-88aa-38e240e37aa6,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'smtp', 'READ', ARRAY['https://jans.io/oauth/config/smtp.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('67b8301b-7adc-4b7f-8ffe-dc6c12a57bae', '67b8301b-7adc-4b7f-8ffe-dc6c12a57bae', 'inum=67b8301b-7adc-4b7f-8ffe-dc6c12a57bae,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'smtp', 'WRITE', ARRAY['https://jans.io/oauth/config/smtp.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('92f0f66b-5618-40c6-8c48-744bd03fbeae', '92f0f66b-5618-40c6-8c48-744bd03fbeae', 'inum=92f0f66b-5618-40c6-8c48-744bd03fbeae,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'scim', 'READ', ARRAY['https://jans.io/scim/config.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('bae361b3-6013-4812-94d2-b04e4d55a5a2', 'bae361b3-6013-4812-94d2-b04e4d55a5a2', 'inum=bae361b3-6013-4812-94d2-b04e4d55a5a2,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'scim', 'WRITE', ARRAY['https://jans.io/scim/config.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('9846cf37-e701-4c52-881f-3d433233bf58', '9846cf37-e701-4c52-881f-3d433233bf58', 'inum=9846cf37-e701-4c52-881f-3d433233bf58,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'fido', 'READ', ARRAY['https://jans.io/oauth/config/fido2.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('4a953049-ddf1-4d55-aa4f-760f08b584a0', '4a953049-ddf1-4d55-aa4f-760f08b584a0', 'inum=4a953049-ddf1-4d55-aa4f-760f08b584a0,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'fido', 'WRITE', ARRAY['https://jans.io/oauth/config/fido2.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('ce8c6212-a183-4b71-bc4b-3dfef88d1cd0', 'ce8c6212-a183-4b71-bc4b-3dfef88d1cd0', 'inum=ce8c6212-a183-4b71-bc4b-3dfef88d1cd0,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'saml', 'READ', ARRAY['https://jans.io/oauth/config/saml-config.readonly','https://jans.io/oauth/config/saml.readonly','https://jans.io/idp/saml.readonly','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('5e01fe2a-86f6-4f3b-ac84-ec8928bbe78f', '5e01fe2a-86f6-4f3b-ac84-ec8928bbe78f', 'inum=5e01fe2a-86f6-4f3b-ac84-ec8928bbe78f,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'saml', 'WRITE', ARRAY['https://jans.io/oauth/config/saml-config.write','https://jans.io/idp/saml.write','https://jans.io/oauth/config/saml.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('0dbbcf8f-6c5f-4d1b-90f6-985dd694d20a', '0dbbcf8f-6c5f-4d1b-90f6-985dd694d20a', 'inum=0dbbcf8f-6c5f-4d1b-90f6-985dd694d20a,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'saml', 'jans_asset-delete', ARRAY['https://jans.io/idp/saml.delete','https://jans.io/oauth/config/saml.write','https://jans.io/oauth/jans-auth-server/config/adminui/logging.write']),
('9fa4b8c8-e980-440e-b3cd-4ac1f01f8338', '9fa4b8c8-e980-440e-b3cd-4ac1f01f8338', 'inum=9fa4b8c8-e980-440e-b3cd-4ac1f01f8338,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'lock', 'READ', ARRAY['https://jans.io/oauth/lock-config.readonly','https://jans.io/oauth/lock/read-all','jans_stat','https://jans.io/oauth/lock/telemetry.readonly']),
('4cb58914-f463-4015-beae-a36c38ec9f53', '4cb58914-f463-4015-beae-a36c38ec9f53', 'inum=4cb58914-f463-4015-beae-a36c38ec9f53,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans', 'adminUIResourceScopesMapping', 'lock', 'WRITE', ARRAY['https://jans.io/oauth/lock-config.write','https://jans.io/oauth/lock/telemetry.write','https://jans.io/oauth/lock/log.write','https://jans.io/oauth/lock/health.write']);
INSERT INTO "adminUIResourceScopesMapping" (doc_id, inum, dn, "objectClass", resource, "accessType", scopes) VALUES
('f9c23f63-184a-4777-a01c-ea928eb96054','f9c23f63-184a-4777-a01c-ea928eb96054','inum=f9c23f63-184a-4777-a01c-ea928eb96054,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','dashboard','READ','["https://jans.io/oauth/config/stats.readonly","jans_stat","https://jans.io/oauth/config/data.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('491408e9-8870-45b0-88cc-86455830c3d7','491408e9-8870-45b0-88cc-86455830c3d7','inum=491408e9-8870-45b0-88cc-86455830c3d7,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','license','READ','["https://jans.io/oauth/jans-auth-server/config/adminui/license.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('4a273022-268a-4bd9-b173-7ca8e79fc906','4a273022-268a-4bd9-b173-7ca8e79fc906','inum=4a273022-268a-4bd9-b173-7ca8e79fc906,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','license','WRITE','["https://jans.io/oauth/jans-auth-server/config/adminui/license.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('57eef8f1-93d5-43b7-b859-de6f59572ced','57eef8f1-93d5-43b7-b859-de6f59572ced','inum=57eef8f1-93d5-43b7-b859-de6f59572ced,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','mau','READ','["https://jans.io/oauth/config/stats.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('000b7e87-5168-4c21-85ad-e717cafc8e8b','000b7e87-5168-4c21-85ad-e717cafc8e8b','inum=000b7e87-5168-4c21-85ad-e717cafc8e8b,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','settings','READ','["https://jans.io/oauth/config/scripts.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('10c51b99-af6d-467d-a66c-991c4af9779b','10c51b99-af6d-467d-a66c-991c4af9779b','inum=10c51b99-af6d-467d-a66c-991c4af9779b,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','settings','WRITE','["https://jans.io/oauth/jans-auth-server/config/adminui/properties.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('b5525233-4c64-41c1-b00b-91a334bf57cb','b5525233-4c64-41c1-b00b-91a334bf57cb','inum=b5525233-4c64-41c1-b00b-91a334bf57cb,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','webhooks','READ','["https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('4140d9e7-021f-4a5f-8054-838a8e54b2da','4140d9e7-021f-4a5f-8054-838a8e54b2da','inum=4140d9e7-021f-4a5f-8054-838a8e54b2da,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','webhooks','WRITE','["https://jans.io/oauth/jans-auth-server/config/adminui/webhook.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('e4dcafe6-786f-4a7f-aa42-3b9d64fd792c','e4dcafe6-786f-4a7f-aa42-3b9d64fd792c','inum=e4dcafe6-786f-4a7f-aa42-3b9d64fd792c,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','webhooks','DELETE','["https://jans.io/oauth/jans-auth-server/config/adminui/webhook.delete","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('6b3fa54a-6b39-4d6a-8af6-f775084ff3e2','6b3fa54a-6b39-4d6a-8af6-f775084ff3e2','inum=6b3fa54a-6b39-4d6a-8af6-f775084ff3e2,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','assets','READ','["https://jans.io/oauth/config/jans_asset-read","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('014fe962-0fea-49c4-9798-eb51ce80204f','014fe962-0fea-49c4-9798-eb51ce80204f','inum=014fe962-0fea-49c4-9798-eb51ce80204f,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','assets','WRITE','["https://jans.io/oauth/config/jans_asset-write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('b9ff6c69-4fc7-4a23-8ba7-7a250d80ea11','b9ff6c69-4fc7-4a23-8ba7-7a250d80ea11','inum=b9ff6c69-4fc7-4a23-8ba7-7a250d80ea11,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','assets','DELETE','["https://jans.io/oauth/config/jans_asset-delete","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('d9b5076c-9678-4d7e-8830-89d125cf2e74','d9b5076c-9678-4d7e-8830-89d125cf2e74','inum=d9b5076c-9678-4d7e-8830-89d125cf2e74,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','auditLogs','READ','["https://jans.io/oauth/config/logging.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('35ed86f5-fde4-4502-aff3-c0250b841f33','35ed86f5-fde4-4502-aff3-c0250b841f33','inum=35ed86f5-fde4-4502-aff3-c0250b841f33,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','clients','READ','["https://jans.io/oauth/config/openid/clients.readonly","https://jans.io/oauth/config/scopes.readonly","https://jans.io/oauth/config/scripts.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb);
INSERT INTO "adminUIResourceScopesMapping" (doc_id, inum, dn, "objectClass", resource, "accessType", scopes) VALUES
('fbf1e29b-369c-4fc9-8ab6-197ee9ed257c','fbf1e29b-369c-4fc9-8ab6-197ee9ed257c','inum=fbf1e29b-369c-4fc9-8ab6-197ee9ed257c,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','clients','READ','["https://jans.io/oauth/config/openid/clients.readonly","https://jans.io/oauth/config/scopes.readonly","https://jans.io/oauth/config/scripts.readonly","https://jans.io/oauth/jans-auth-server/config/properties.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('7d9558b3-8bc3-4727-96c9-67afe41e833c','7d9558b3-8bc3-4727-96c9-67afe41e833c','inum=7d9558b3-8bc3-4727-96c9-67afe41e833c,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','clients','WRITE','["https://jans.io/oauth/config/openid/clients.write","https://jans.io/oauth/config/scopes.readonly","https://jans.io/oauth/config/scripts.readonly","https://jans.io/oauth/jans-auth-server/config/properties.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('77aa2e0e-a67d-4f90-a28c-a9b6077c3a7d','77aa2e0e-a67d-4f90-a28c-a9b6077c3a7d','inum=77aa2e0e-a67d-4f90-a28c-a9b6077c3a7d,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','clients','DELETE','["https://jans.io/oauth/config/openid/clients.delete","https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('8d8e1d19-2ab8-4e2f-ab81-9ee7ed36f9e3','8d8e1d19-2ab8-4e2f-ab81-9ee7ed36f9e3','inum=8d8e1d19-2ab8-4e2f-ab81-9ee7ed36f9e3,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','scopes','READ','["https://jans.io/oauth/config/scopes.readonly","https://jans.io/oauth/config/attributes.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('07ec2f0c-2426-4d00-8cb7-9dea43bce3e0','07ec2f0c-2426-4d00-8cb7-9dea43bce3e0','inum=07ec2f0c-2426-4d00-8cb7-9dea43bce3e0,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','scopes','WRITE','["https://jans.io/oauth/config/scopes.write","https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('3a0c4bb3-46ab-425f-bbe4-0b0515c221e1','3a0c4bb3-46ab-425f-bbe4-0b0515c221e1','inum=3a0c4bb3-46ab-425f-bbe4-0b0515c221e1,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','scopes','DELETE','["https://jans.io/oauth/config/scopes.delete","https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('12849fe5-e4c3-437f-94bc-d24848e275bb','12849fe5-e4c3-437f-94bc-d24848e275bb','inum=12849fe5-e4c3-437f-94bc-d24848e275bb,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','keys','READ','["https://jans.io/oauth/config/jwks.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('f614a842-f887-43af-a0bb-708976449610','f614a842-f887-43af-a0bb-708976449610','inum=f614a842-f887-43af-a0bb-708976449610,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','authenticationServerConfiguration','READ','["https://jans.io/oauth/jans-auth-server/config/properties.readonly","https://jans.io/oauth/config/acrs.readonly","https://jans.io/oauth/config/scripts.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('d8c3bc28-054b-4906-9819-1a0db8030b37','d8c3bc28-054b-4906-9819-1a0db8030b37','inum=d8c3bc28-054b-4906-9819-1a0db8030b37,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','authenticationServerConfiguration','WRITE','["https://jans.io/oauth/jans-auth-server/config/properties.write","https://jans.io/oauth/config/acrs.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('8888368f-f108-4606-9834-dd331c527866','8888368f-f108-4606-9834-dd331c527866','inum=8888368f-f108-4606-9834-dd331c527866,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','logging','READ','["https://jans.io/oauth/config/logging.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('52133aed-b1f4-46a0-824d-761148e7866d','52133aed-b1f4-46a0-824d-761148e7866d','inum=52133aed-b1f4-46a0-824d-761148e7866d,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','logging','WRITE','["https://jans.io/oauth/config/logging.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('eb61570d-1b5c-4433-84d7-276d210194d4','eb61570d-1b5c-4433-84d7-276d210194d4','inum=eb61570d-1b5c-4433-84d7-276d210194d4,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','authentication','READ','["https://jans.io/oauth/config/database/ldap.readonly","https://jans.io/oauth/config/scripts.readonly","https://jans.io/oauth/config/acrs.readonly","https://jans.io/oauth/jans-auth-server/config/properties.readonly","https://jans.io/oauth/config/agama.readonly","https://jans.io/oauth/config/agama-repo.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('1eee190b-c2fb-455c-8ef4-0c22fde9f73a','1eee190b-c2fb-455c-8ef4-0c22fde9f73a','inum=1eee190b-c2fb-455c-8ef4-0c22fde9f73a,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','authentication','WRITE','["https://jans.io/oauth/config/database/ldap.write","https://jans.io/oauth/jans-auth-server/config/properties.write","https://jans.io/oauth/config/agama.write","https://jans.io/oauth/config/agama-repo.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb);
-- SQL file to insert all 54 records into adminUIResourceScopesMapping with scopes as jsonb
INSERT INTO "adminUIResourceScopesMapping" (doc_id, inum, dn, "objectClass", resource, "accessType", scopes) VALUES
('1b64711b-9935-49e9-be27-35f92e40fac3','1b64711b-9935-49e9-be27-35f92e40fac3','inum=1b64711b-9935-49e9-be27-35f92e40fac3,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','configApiConfiguration','READ','["https://jans.io/oauth/config/properties.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('87a66767-b740-4357-acb3-d37299f7d760','87a66767-b740-4357-acb3-d37299f7d760','inum=87a66767-b740-4357-acb3-d37299f7d760,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','configApiConfiguration','WRITE','["https://jans.io/oauth/config/properties.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('7ceb0830-8b3d-455b-ba03-28cd4e7e9385','7ceb0830-8b3d-455b-ba03-28cd4e7e9385','inum=7ceb0830-8b3d-455b-ba03-28cd4e7e9385,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','session','READ','["https://jans.io/oauth/jans-auth-server/session.readonly","revoke_session","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('26c54ba2-0adb-47d1-b64d-5266d75ef6d6','26c54ba2-0adb-47d1-b64d-5266d75ef6d6','inum=26c54ba2-0adb-47d1-b64d-5266d75ef6d6,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','session','DELETE','["https://jans.io/oauth/jans-auth-server/session.delete","revoke_session","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('37488733-1b14-4648-a270-2c0f4dec2813','37488733-1b14-4648-a270-2c0f4dec2813','inum=37488733-1b14-4648-a270-2c0f4dec2813,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','users','READ','["https://jans.io/oauth/config/user.readonly","https://jans.io/oauth/config/attributes.readonly","https://jans.io/oauth/jans-auth-server/config/properties.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('b4952238-fae5-4d62-bfed-8a8e343fdffc','b4952238-fae5-4d62-bfed-8a8e343fdffc','inum=b4952238-fae5-4d62-bfed-8a8e343fdffc,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','users','WRITE','["https://jans.io/oauth/config/user.write","https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('3f2d534e-13e3-46a5-8062-de37d7c5da75','3f2d534e-13e3-46a5-8062-de37d7c5da75','inum=3f2d534e-13e3-46a5-8062-de37d7c5da75,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','users','DELETE','["https://jans.io/oauth/config/user.delete","https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('c938bb27-ba6a-41f5-9506-86746e8c92bb','c938bb27-ba6a-41f5-9506-86746e8c92bb','inum=c938bb27-ba6a-41f5-9506-86746e8c92bb,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','scripts','READ','["https://jans.io/oauth/config/scripts.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('9c8e3351-8ac9-4bb9-8548-f63d7f1a56eb','9c8e3351-8ac9-4bb9-8548-f63d7f1a56eb','inum=9c8e3351-8ac9-4bb9-8548-f63d7f1a56eb,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','scripts','WRITE','["https://jans.io/oauth/config/scripts.write","https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('3da24565-7d2b-4bc4-9f33-9b4720741fb1','3da24565-7d2b-4bc4-9f33-9b4720741fb1','inum=3da24565-7d2b-4bc4-9f33-9b4720741fb1,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','scripts','DELETE','["https://jans.io/oauth/config/scripts.delete","https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('c3359124-ee0b-4df6-9290-0f6a6837808c','c3359124-ee0b-4df6-9290-0f6a6837808c','inum=c3359124-ee0b-4df6-9290-0f6a6837808c,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','attributes','READ','["https://jans.io/oauth/config/attributes.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('a9c5bae2-7e18-4dc4-904b-b1b756fc9807','a9c5bae2-7e18-4dc4-904b-b1b756fc9807','inum=a9c5bae2-7e18-4dc4-904b-b1b756fc9807,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','attributes','WRITE','["https://jans.io/oauth/config/attributes.write","https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('e2532e04-f656-455e-83b6-10c1e2ab24bb','e2532e04-f656-455e-83b6-10c1e2ab24bb','inum=e2532e04-f656-455e-83b6-10c1e2ab24bb,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','attributes','DELETE','["https://jans.io/oauth/config/attributes.delete","https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('45e1e36f-6225-4701-93a4-33b5afac2ed8','45e1e36f-6225-4701-93a4-33b5afac2ed8','inum=45e1e36f-6225-4701-93a4-33b5afac2ed8,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','cache','READ','["https://jans.io/oauth/config/cache.readonly"]'::jsonb),
('766e21e3-ea1c-4421-8b1a-8c7cfeb20699','766e21e3-ea1c-4421-8b1a-8c7cfeb20699','inum=766e21e3-ea1c-4421-8b1a-8c7cfeb20699,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','cache','WRITE','["https://jans.io/oauth/config/cache.write"]'::jsonb),
('a315242a-2eac-42cf-8d67-63072f1465bf','a315242a-2eac-42cf-8d67-63072f1465bf','inum=a315242a-2eac-42cf-8d67-63072f1465bf,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','persistence','READ','["https://jans.io/oauth/jans-auth-server/config/properties.readonly"]'::jsonb),
('e9dea5be-d659-49cf-88aa-38e240e37aa6','e9dea5be-d659-49cf-88aa-38e240e37aa6','inum=e9dea5be-d659-49cf-88aa-38e240e37aa6,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','smtp','READ','["https://jans.io/oauth/config/smtp.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('67b8301b-7adc-4b7f-8ffe-dc6c12a57bae','67b8301b-7adc-4b7f-8ffe-dc6c12a57bae','inum=67b8301b-7adc-4b7f-8ffe-dc6c12a57bae,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','smtp','WRITE','["https://jans.io/oauth/config/smtp.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb);
INSERT INTO "adminUIResourceScopesMapping" (doc_id, inum, dn, "objectClass", resource, "accessType", scopes) VALUES
('92f0f66b-5618-40c6-8c48-744bd03fbeae','92f0f66b-5618-40c6-8c48-744bd03fbeae','inum=92f0f66b-5618-40c6-8c48-744bd03fbeae,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','scim','READ','["https://jans.io/scim/config.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('bae361b3-6013-4812-94d2-b04e4d55a5a2','bae361b3-6013-4812-94d2-b04e4d55a5a2','inum=bae361b3-6013-4812-94d2-b04e4d55a5a2,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','scim','WRITE','["https://jans.io/scim/config.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('9846cf37-e701-4c52-881f-3d433233bf58','9846cf37-e701-4c52-881f-3d433233bf58','inum=9846cf37-e701-4c52-881f-3d433233bf58,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','fido','READ','["https://jans.io/oauth/config/fido2.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('4a953049-ddf1-4d55-aa4f-760f08b584a0','4a953049-ddf1-4d55-aa4f-760f08b584a0','inum=4a953049-ddf1-4d55-aa4f-760f08b584a0,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','fido','WRITE','["https://jans.io/oauth/config/fido2.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('ce8c6212-a183-4b71-bc4b-3dfef88d1cd0','ce8c6212-a183-4b71-bc4b-3dfef88d1cd0','inum=ce8c6212-a183-4b71-bc4b-3dfef88d1cd0,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','saml','READ','["https://jans.io/oauth/config/saml-config.readonly","https://jans.io/oauth/config/saml.readonly","https://jans.io/idp/saml.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('5e01fe2a-86f6-4f3b-ac84-ec8928bbe78f','5e01fe2a-86f6-4f3b-ac84-ec8928bbe78f','inum=5e01fe2a-86f6-4f3b-ac84-ec8928bbe78f,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','saml','WRITE','["https://jans.io/oauth/config/saml-config.write","https://jans.io/idp/saml.write","https://jans.io/oauth/config/saml.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('0dbbcf8f-6c5f-4d1b-90f6-985dd694d20a','0dbbcf8f-6c5f-4d1b-90f6-985dd694d20a','inum=0dbbcf8f-6c5f-4d1b-90f6-985dd694d20a,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','saml','DELETE','["https://jans.io/idp/saml.delete","https://jans.io/oauth/config/saml.write","https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('9fa4b8c8-e980-440e-b3cd-4ac1f01f8338','9fa4b8c8-e980-440e-b3cd-4ac1f01f8338','inum=9fa4b8c8-e980-440e-b3cd-4ac1f01f8338,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','lock','READ','["https://jans.io/oauth/lock-config.readonly","https://jans.io/oauth/lock/read-all","jans_stat","https://jans.io/oauth/lock/telemetry.readonly"]'::jsonb),
('4cb58914-f463-4015-beae-a36c38ec9f53','4cb58914-f463-4015-beae-a36c38ec9f53','inum=4cb58914-f463-4015-beae-a36c38ec9f53,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','lock','WRITE','["https://jans.io/oauth/lock-config.write","https://jans.io/oauth/lock/telemetry.write","https://jans.io/oauth/lock/log.write","https://jans.io/oauth/lock/health.write"]'::jsonb);
INSERT INTO "adminUIResourceScopesMapping" (doc_id, inum, dn, "objectClass", resource, "accessType", scopes) VALUES
('ae8c6212-a183-4b71-bc4b-3dfef88d1cd0','ae8c6212-a183-4b71-bc4b-3dfef88d1cd0','inum=ae8c6212-a183-4b71-bc4b-3dfef88d1cd0,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','security','READ','["https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly","https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly", "https://jans.io/oauth/jans-auth-server/config/adminui/security.readonly", "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('ae01fe2a-86f6-4f3b-ac84-ec8928bbe78f','ae01fe2a-86f6-4f3b-ac84-ec8928bbe78f','inum=ae01fe2a-86f6-4f3b-ac84-ec8928bbe78f,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','security','WRITE','["https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write","https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write","https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write", "https://jans.io/oauth/jans-auth-server/config/adminui/security.write", "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('adbbcf8f-6c5f-4d1b-90f6-985dd694d20a','adbbcf8f-6c5f-4d1b-90f6-985dd694d20a','inum=adbbcf8f-6c5f-4d1b-90f6-985dd694d20a,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','security','DELETE','["https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete","https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete", "https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete", "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('be8c6212-a183-4b71-bc4b-3dfef88d1cd0','be8c6212-a183-4b71-bc4b-3dfef88d1cd0','inum=be8c6212-a183-4b71-bc4b-3dfef88d1cd0,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','ssa','READ','["https://jans.io/auth/ssa.developer", "https://jans.io/auth/ssa.portal", "https://jans.io/oauth/jans-auth-server/config/properties.readonly", "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('be01fe2a-86f6-4f3b-ac84-ec8928bbe78f','be01fe2a-86f6-4f3b-ac84-ec8928bbe78f','inum=be01fe2a-86f6-4f3b-ac84-ec8928bbe78f,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','ssa','WRITE','["https://jans.io/auth/ssa.admin", "https://jans.io/oauth/jans-auth-server/config/properties.write", "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb),
('bdbbcf8f-6c5f-4d1b-90f6-985dd694d20a','bdbbcf8f-6c5f-4d1b-90f6-985dd694d20a','inum=bdbbcf8f-6c5f-4d1b-90f6-985dd694d20a,ou=adminUIResourceScopesMapping,ou=admin-ui,o=jans','adminUIResourceScopesMapping','ssa','DELETE','["https://jans.io/auth/ssa.admin", "https://jans.io/oauth/jans-auth-server/config/properties.write", "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"]'::jsonb);
Policy Store
https://raw.githubusercontent.com/duttarnab/cedarling_store/refs/heads/agama-lab-policy-designer/3cf98caf8e7fdb289c922ba9514118dcba716ce426ae.jsonCode to create role-to-scopes mapping from policy-store
package org.example;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
import java.io.IOException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.*;
import java.util.Base64;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
/**
* Maps principals found inside policy-store policies to scopes (scopes) derived from SQL JSON.
*
* Key functionalities:
* - Decodes base64 policy_content for each policy
* - Extracts principals matching pattern Gluu::Flex::AdminUI::Role::...
* - Maps resources in policy to scopes using resourcesJson
* - Falls back to schema decoding when resources are not directly found
*
* Returns: Map<principal, Set<scopes>>
*/
public final class PolicyToScopeMapper {
// Constants
private static final ObjectMapper MAPPER = new ObjectMapper();
private static final Locale DEFAULT_LOCALE = Locale.ROOT;
// Regex patterns for parsing Cedar DSL
private static final Pattern PRINCIPAL_PATTERN =
Pattern.compile("Gluu::Flex::AdminUI::Role::\"([A-Za-z0-9_\\-\\.]+)");
private static final Pattern RESOURCE_ASSIGNMENT_PATTERN =
Pattern.compile("resource\\s*(?:==|in|is)\\s*([^;\\n]+)");
private static final Pattern SINGLE_ACTION_PATTERN =
Pattern.compile("action\\s*==\\s*([^;\\n]+)");
private static final Pattern MULTI_ACTION_PATTERN =
Pattern.compile("action\\s*in\\s*\\[([^\\]]+)\\]");
private PolicyToScopeMapper() {
// Utility class - prevent instantiation
}
/**
* Main entry point for mapping principals to scopes.
*
* @param policyStoreJson Root JSON containing policy_stores array
* @param resourcesJson JSON array from SQL with resource and scopes arrays
* @return Map of principal (sanitized lowercase) to set of scopes
*/
public static Map<String, Set<String>> mapPrincipalsToScopes(JsonNode policyStoreJson, JsonNode resourcesJson) {
Map<String, Set<String>> resourceToCaps = buildResourceToScopes(resourcesJson);
Set<String> allResourceKeys = resourceToCaps.keySet();
Map<String, Set<String>> principalToScopes = new HashMap<>();
ArrayNode policyStores = getPolicyStoresArray(policyStoreJson);
for (JsonNode policyStore : policyStores) {
ArrayNode policies = getArrayNode(policyStore, "policies");
if (policies == null) continue;
for (JsonNode policy : policies) {
processPolicy(policy, policyStore, resourceToCaps, allResourceKeys, principalToScopes);
}
}
return principalToScopes;
}
/**
* Processes a single policy to extract principals and map them to scopes.
*/
private static void processPolicy(JsonNode policy, JsonNode policyStore,
Map<String, Set<String>> resourceToCaps,
Set<String> allResourceKeys,
Map<String, Set<String>> principalToScopes) {
String cedarDsl = decodeBase64ToString(policy, "policy_content");
if (cedarDsl == null) return;
Set<String> principals = extractPrincipalsFromCedarDsl(cedarDsl);
if (principals.isEmpty()) return;
JsonNode schemaNode = decodeBase64ToJson(policyStore, "schema");
Set<String> policyResources = extractResourceActionPairs(cedarDsl, schemaNode);
Set<String> aggregatedScopes = aggregateScopes(policyResources, resourceToCaps, allResourceKeys);
// Attach scopes to principals
for (String principal : principals) {
principalToScopes.computeIfAbsent(principal, k -> new HashSet<>()).addAll(aggregatedScopes);
}
}
/**
* Aggregates scopes from policy resources using direct matching and schema fallback.
*/
private static Set<String> aggregateScopes(Set<String> policyResources,
Map<String, Set<String>> resourceToCaps,
Set<String> allResourceKeys) {
Set<String> aggregatedScopes = new HashSet<>();
for (String rawResource : policyResources) {
if (rawResource == null || rawResource.isEmpty()) continue;
String resourceKey = rawResource.toLowerCase(DEFAULT_LOCALE);
findAndAddScopes(resourceKey, resourceToCaps, allResourceKeys, aggregatedScopes);
}
return aggregatedScopes;
}
/**
* Finds scopes for a resource key and adds them to the aggregated set.
*/
private static void findAndAddScopes(String resourceKey,
Map<String, Set<String>> resourceToCaps,
Set<String> allResourceKeys,
Set<String> aggregatedScopes) {
// Direct match
if (resourceToCaps.containsKey(resourceKey)) {
aggregatedScopes.addAll(resourceToCaps.get(resourceKey));
return;
}
// Case-insensitive match
allResourceKeys.stream()
.filter(key -> key.equalsIgnoreCase(resourceKey))
.findFirst()
.ifPresent(matchedKey -> aggregatedScopes.addAll(resourceToCaps.get(matchedKey)));
}
// ==================== HELPER METHODS ====================
/**
* Gets policy stores array from JSON, handling both array and single object formats.
*/
private static ArrayNode getPolicyStoresArray(JsonNode policyStoreJson) {
ArrayNode policyStores = getArrayNode(policyStoreJson, "policy_stores");
if (policyStores == null) {
policyStores = MAPPER.createArrayNode().add(policyStoreJson);
}
return policyStores;
}
/**
* Extracts array node from parent JSON, converting objects to arrays if needed.
*/
private static ArrayNode getArrayNode(JsonNode parent, String field) {
if (parent == null) return null;
ArrayNode arrayNode = MAPPER.createArrayNode();
JsonNode node = parent.path(field);
if (node != null && node.isObject()) {
// Convert object to array of values
node.fields().forEachRemaining(entry -> arrayNode.add(entry.getValue()));
} else if (node != null && node.isArray()) {
return (ArrayNode) node;
}
return arrayNode;
}
/**
* Extracts principals from Cedar DSL policy content.
*/
private static Set<String> extractPrincipalsFromCedarDsl(String cedarDsl) {
Set<String> principals = new HashSet<>();
Matcher matcher = PRINCIPAL_PATTERN.matcher(cedarDsl);
while (matcher.find()) {
principals.add(matcher.group(1).toLowerCase(DEFAULT_LOCALE));
}
return principals;
}
/**
* Extracts resource-action pairs from Cedar DSL policy.
*/
private static Set<String> extractResourceActionPairs(String policy, JsonNode schemaNode) {
Set<String> resources = extractResourcesFromPolicy(policy);
Set<String> actions = extractActionsFromPolicy(policy);
return buildResourceActionPairs(resources, actions, schemaNode);
}
/**
* Extracts resources from policy text.
*/
private static Set<String> extractResourcesFromPolicy(String policy) {
Set<String> resources = new HashSet<>();
Matcher matcher = RESOURCE_ASSIGNMENT_PATTERN.matcher(policy);
while (matcher.find()) {
String resourceValue = cleanValue(matcher.group(1));
extractResourcesFromValue(resourceValue, resources);
}
return resources;
}
/**
* Extracts resources from a resource value (single or array).
*/
private static void extractResourcesFromValue(String resourceValue, Set<String> resources) {
if (resourceValue.startsWith("[") && resourceValue.endsWith("]")) {
// Array form: [Resource1, Resource2]
String arrayContent = resourceValue.substring(1, resourceValue.length() - 1);
Arrays.stream(arrayContent.split(","))
.map(PolicyToScopeMapper::cleanValue)
.map(PolicyToScopeMapper::normalizeResource)
.filter(cleaned -> !cleaned.isEmpty())
.forEach(resources::add);
} else if (!resourceValue.isEmpty()) {
// Single resource
resources.add(normalizeResource(resourceValue));
}
}
/**
* Extracts actions from policy text.
*/
private static Set<String> extractActionsFromPolicy(String policy) {
Set<String> actions = new HashSet<>();
// Single action
Matcher singleMatcher = SINGLE_ACTION_PATTERN.matcher(policy);
if (singleMatcher.find()) {
actions.add(normalizeAction(cleanValue(singleMatcher.group(1))));
}
// Multiple actions
Matcher multiMatcher = MULTI_ACTION_PATTERN.matcher(policy);
if (multiMatcher.find()) {
String actionsString = multiMatcher.group(1);
Arrays.stream(actionsString.split(","))
.map(PolicyToScopeMapper::cleanValue)
.map(PolicyToScopeMapper::normalizeAction)
.filter(cleaned -> !cleaned.isEmpty())
.forEach(actions::add);
}
return actions;
}
/**
* Builds resource-action pairs combining resources and actions.
*/
private static Set<String> buildResourceActionPairs(Set<String> resources, Set<String> actions, JsonNode schemaNode) {
Set<String> pairs = new HashSet<>();
for (String resource : resources) {
Map<String, Set<String>> entityTypeToMembers = schemaNode == null ?
Collections.emptyMap() : buildEntityTypeIndex(schemaNode, resource);
Set<String> resourceSet = entityTypeToMembers.keySet();
for (String entity : resourceSet) {
for (String action : actions) {
String pair = (entity + "~" + action).toLowerCase(DEFAULT_LOCALE).replace("\"", "");
pairs.add(pair);
}
}
}
return pairs;
}
/**
* Normalizes resource by removing namespace prefix.
*/
private static String normalizeResource(String value) {
return value.replace("Gluu::Flex::AdminUI::Resources::", "").trim();
}
/**
* Normalizes action by removing namespace prefix.
*/
private static String normalizeAction(String value) {
return value.replace("Gluu::Flex::AdminUI::Action::", "").trim();
}
/**
* Cleans string value by removing quotes and trimming.
*/
private static String cleanValue(String value) {
if (value == null) return null;
return value.trim()
.replaceAll("^\"|\"$", "")
.replaceAll("^'|'$", "")
.trim();
}
/**
* Builds resource to Scopes mapping from SQL-derived JSON.
*/
private static Map<String, Set<String>> buildResourceToScopes(JsonNode resourcesJson) {
Map<String, Set<String>> map = new HashMap<>();
if (resourcesJson == null) return map;
Iterable<JsonNode> items = extractResourcesArray(resourcesJson);
for (JsonNode item : items) {
String resource = firstNonEmptyText(item, "resource", "name");
String accessType = firstNonEmptyText(item, "access_type", "accessType", "type");
if (resource == null || accessType == null) continue;
String key = (resource + "~" + accessType).toLowerCase(DEFAULT_LOCALE);
Set<String> scopes = extractScopes(item);
map.merge(key, scopes, (oldSet, newSet) -> {
oldSet.addAll(newSet);
return oldSet;
});
}
return map;
}
/**
* Extracts resources array from JSON structure.
*/
private static Iterable<JsonNode> extractResourcesArray(JsonNode resourcesJson) {
if (resourcesJson.isArray()) {
return resourcesJson;
} else {
JsonNode arr = resourcesJson.path("resources");
return arr.isArray() ? arr : Collections.emptyList();
}
}
/**
* Extracts scopes from JSON item.
*/
private static Set<String> extractScopes(JsonNode item) {
Set<String> scopes = new HashSet<>();
JsonNode capsNode = item.has("scopes") ? item.get("scopes") : item.get("capability");
if (capsNode != null && capsNode.isArray()) {
for (JsonNode capability : capsNode) {
if (capability.isTextual()) {
scopes.add(capability.asText());
}
}
}
return scopes;
}
/**
* Decodes base64 field to string.
*/
private static String decodeBase64ToString(JsonNode parent, String field) {
String base64String = getFieldAsText(parent, field);
if (base64String == null) return null;
try {
byte[] raw = Base64.getDecoder().decode(base64String);
return new String(raw, StandardCharsets.UTF_8);
} catch (IllegalArgumentException ex) {
return null;
}
}
/**
* Decodes base64 field to JSON.
*/
private static JsonNode decodeBase64ToJson(JsonNode parent, String field) {
String base64String = getFieldAsText(parent, field);
if (base64String == null) return null;
try {
byte[] raw = Base64.getDecoder().decode(base64String);
return MAPPER.readTree(new String(raw, StandardCharsets.UTF_8));
} catch (IllegalArgumentException | IOException ex) {
return null;
}
}
/**
* Gets field value as text, returns null if missing or empty.
*/
private static String getFieldAsText(JsonNode parent, String field) {
if (parent == null) return null;
JsonNode node = parent.path(field);
if (node.isMissingNode() || node.isNull()) return null;
String value = node.asText("");
return value.isEmpty() ? null : value;
}
/**
* Builds entity type index from schema JSON.
*/
private static Map<String, Set<String>> buildEntityTypeIndex(JsonNode schemaJson, String resource) {
Map<String, Set<String>> index = new HashMap<>();
if (schemaJson == null || resource == null) return index;
String resourceLower = resource.toLowerCase(DEFAULT_LOCALE);
JsonNode entityTypesNode = findEntityTypesNode(schemaJson);
if (entityTypesNode != null && !entityTypesNode.isMissingNode()) {
if (entityTypesNode.isObject()) {
processEntityTypesObject(entityTypesNode, resourceLower, index);
} else if (entityTypesNode.isArray()) {
processEntityTypesArray(entityTypesNode, resourceLower, index);
}
}
return index;
}
/**
* Finds entityTypes node in schema JSON.
*/
private static JsonNode findEntityTypesNode(JsonNode schemaJson) {
// Try direct path first
JsonNode resourcesNode = schemaJson.path("Gluu::Flex::AdminUI::Resources");
JsonNode entityTypesNode = resourcesNode.has("entityTypes") ?
resourcesNode.get("entityTypes") : null;
// Fallback: search for any "entityTypes" field
return entityTypesNode != null ? entityTypesNode : findNodeByFieldName(schemaJson, "entityTypes");
}
/**
* Processes entity types from object structure.
*/
private static void processEntityTypesObject(JsonNode entityTypesNode, String resourceLower,
Map<String, Set<String>> index) {
entityTypesNode.fields().forEachRemaining(entry -> {
String entityTypeName = entry.getKey();
JsonNode entityTypeNode = entry.getValue();
if (shouldIncludeEntityType(entityTypeName, entityTypeNode, resourceLower)) {
Set<String> members = extractMemberOfTypes(entityTypeNode);
index.put(entityTypeName.toLowerCase(DEFAULT_LOCALE), members);
}
});
}
/**
* Processes entity types from array structure.
*/
private static void processEntityTypesArray(JsonNode entityTypesNode, String resourceLower,
Map<String, Set<String>> index) {
for (JsonNode entityTypeNode : entityTypesNode) {
String entityTypeName = firstNonEmptyText(entityTypeNode, "name", "entityType", "id");
if (entityTypeName == null) continue;
if (shouldIncludeEntityType(entityTypeName, entityTypeNode, resourceLower)) {
Set<String> members = extractMemberOfTypes(entityTypeNode);
index.put(entityTypeName.toLowerCase(DEFAULT_LOCALE), members);
}
}
}
/**
* Determines if entity type should be included based on resource matching.
*/
private static boolean shouldIncludeEntityType(String entityTypeName, JsonNode entityTypeNode, String resourceLower) {
// Direct name match
if (entityTypeName.equalsIgnoreCase(resourceLower)) {
return true;
}
// MemberOf types match
JsonNode memberOf = entityTypeNode.path("memberOfTypes");
if (memberOf.isArray()) {
for (JsonNode member : memberOf) {
if (member.isTextual() && member.asText().equalsIgnoreCase(resourceLower)) {
return true;
}
}
}
return false;
}
/**
* Extracts memberOf types from entity type node.
*/
private static Set<String> extractMemberOfTypes(JsonNode entityTypeNode) {
Set<String> members = new HashSet<>();
JsonNode memberOf = entityTypeNode.path("memberOfTypes");
if (memberOf.isArray()) {
for (JsonNode member : memberOf) {
if (member.isTextual()) {
members.add(member.asText().toLowerCase(DEFAULT_LOCALE));
}
}
}
return members;
}
/**
* Finds node by field name using DFS.
*/
private static JsonNode findNodeByFieldName(JsonNode root, String fieldName) {
if (root == null) return null;
Deque<JsonNode> stack = new ArrayDeque<>();
stack.push(root);
while (!stack.isEmpty()) {
JsonNode node = stack.pop();
if (node.has(fieldName)) return node.get(fieldName);
if (node.isContainerNode()) {
node.elements().forEachRemaining(stack::push);
}
}
return null;
}
/**
* Gets first non-empty text value from multiple possible field names.
*/
private static String firstNonEmptyText(JsonNode node, String... fieldNames) {
if (node == null) return null;
for (String field : fieldNames) {
if (node.has(field) && node.get(field).isTextual()) {
String value = node.get(field).asText().trim();
if (!value.isEmpty()) return value;
}
}
return null;
}
// ==================== MAIN & UTILITY METHODS ====================
/**
* Main method for testing with policy store URL.
*/
public static Map<String, Set<String>> mapPrincipalsToScopesFromPolicyStoreUrl(String policyStoreUrl,
JsonNode resourcesJson)
throws IOException {
JsonNode root = MAPPER.readTree(new URL(policyStoreUrl));
return mapPrincipalsToScopes(root, resourcesJson);
}
/**
* Demo main method with sample data.
*/
public static void main(String[] args) {
try {
String policyStoreUrl = "https://raw.githubusercontent.com/duttarnab/cedarling_store/refs/heads/agama-lab-policy-designer/3cf98caf8e7fdb289c922ba9514118dcba716ce426ae.json";
String sqlJson = getSampleSqlJson();
ObjectMapper mapper = new ObjectMapper();
JsonNode resourcesJson = mapper.readTree(sqlJson);
Map<String, Set<String>> principalToScopes =
PolicyToScopeMapper.mapPrincipalsToScopesFromPolicyStoreUrl(policyStoreUrl, resourcesJson);
System.out.println("===== PRINCIPAL → SCOPES MAPPING =====");
principalToScopes.forEach((principal, scopes) ->
System.out.println(principal + " => " + scopes));
} catch (Exception e) {
e.printStackTrace();
}
}
/**
* Returns sample SQL JSON for testing.
*/
private static String getSampleSqlJson() {
return """
[
{
"resource": "dashboard",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/stats.readonly",
"jans_stat",
"https://jans.io/oauth/config/data.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "license",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/jans-auth-server/config/adminui/license.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "license",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/jans-auth-server/config/adminui/license.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "mau",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/stats.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "settings",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/scripts.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "settings",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/jans-auth-server/config/adminui/properties.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "webhooks",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "webhooks",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "webhooks",
"access_type": "DELETE",
"scopes": [
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.delete",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "assets",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/jans_asset-read",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "assets",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/jans_asset-write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "assets",
"access_type": "DELETE",
"scopes": [
"https://jans.io/oauth/config/jans_asset-delete",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "auditLogs",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/logging.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "clients",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/openid/clients.readonly",
"https://jans.io/oauth/config/scopes.readonly",
"https://jans.io/oauth/config/scripts.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "clients",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/openid/clients.write",
"https://jans.io/oauth/config/scopes.readonly",
"https://jans.io/oauth/config/scripts.readonly",
"https://jans.io/oauth/jans-auth-server/config/properties.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "clients",
"access_type": "DELETE",
"scopes": [
"https://jans.io/oauth/config/openid/clients.delete",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "scopes",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/scopes.readonly",
"https://jans.io/oauth/config/attributes.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "scopes",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/scopes.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "scopes",
"access_type": "DELETE",
"scopes": [
"https://jans.io/oauth/config/scopes.delete",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "keys",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/jwks.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "authenticationServerConfiguration",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/jans-auth-server/config/properties.readonly",
"https://jans.io/oauth/config/acrs.readonly",
"https://jans.io/oauth/config/scripts.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "authenticationServerConfiguration",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/jans-auth-server/config/properties.write",
"https://jans.io/oauth/config/acrs.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "logging",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/logging.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "logging",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/logging.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "authentication",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/database/ldap.readonly",
"https://jans.io/oauth/config/scripts.readonly",
"https://jans.io/oauth/config/acrs.readonly",
"https://jans.io/oauth/jans-auth-server/config/properties.readonly",
"https://jans.io/oauth/config/agama.readonly",
"https://jans.io/oauth/config/agama-repo.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "authentication",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/database/ldap.write",
"https://jans.io/oauth/jans-auth-server/config/properties.write",
"https://jans.io/oauth/config/agama.write",
"https://jans.io/oauth/config/agama-repo.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "configApiConfiguration",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/properties.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "configApiConfiguration",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/properties.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "session",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/jans-auth-server/session.readonly",
"revoke_session",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "session",
"access_type": "DELETE",
"scopes": [
"https://jans.io/oauth/jans-auth-server/session.delete",
"revoke_session",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "users",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/user.readonly",
"https://jans.io/oauth/config/attributes.readonly",
"https://jans.io/oauth/jans-auth-server/config/properties.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "users",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/user.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "users",
"access_type": "DELETE",
"scopes": [
"https://jans.io/oauth/config/user.delete",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "scripts",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/scripts.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "scripts",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/scripts.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "scripts",
"access_type": "DELETE",
"scopes": [
"https://jans.io/oauth/config/scripts.delete",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "attributes",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/attributes.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "attributes",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/attributes.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "attributes",
"access_type": "DELETE",
"scopes": [
"https://jans.io/oauth/config/attributes.delete",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "cache",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/cache.readonly"
]
},
{
"resource": "cache",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/cache.write"
]
},
{
"resource": "persistence",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/jans-auth-server/config/properties.readonly"
]
},
{
"resource": "smtp",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/smtp.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "smtp",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/smtp.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "scim",
"access_type": "READ",
"scopes": [
"https://jans.io/scim/config.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "scim",
"access_type": "WRITE",
"scopes": [
"https://jans.io/scim/config.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "fido",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/fido2.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "fido",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/fido2.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "saml",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/config/saml-config.readonly",
"https://jans.io/oauth/config/saml.readonly",
"https://jans.io/idp/saml.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "saml",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/config/saml-config.write",
"https://jans.io/idp/saml.write",
"https://jans.io/oauth/config/saml.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "saml",
"access_type": "DELETE",
"scopes": [
"https://jans.io/idp/saml.delete",
"https://jans.io/oauth/config/saml.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write"
]
},
{
"resource": "lock",
"access_type": "READ",
"scopes": [
"https://jans.io/oauth/lock-config.readonly",
"https://jans.io/oauth/lock/read-all",
"jans_stat",
"https://jans.io/oauth/lock/telemetry.readonly"
]
},
{
"resource": "lock",
"access_type": "WRITE",
"scopes": [
"https://jans.io/oauth/lock-config.write",
"https://jans.io/oauth/lock/telemetry.write",
"https://jans.io/oauth/lock/log.write",
"https://jans.io/oauth/lock/health.write"
]
}
]
""";
}
}
- After Admin UI installation the following roles, permissions and role-to-scopes mapping will be available in Admin UI configuration in persistence (
jansConfDyncolumn ofjansAppConftable).
Default roles, permissions, role-to-scopes mapping in configuration
{
"roles": [
{
"role": "admin",
"description": "",
"deletable": null
}
],
"permissions": [
{
"tag": "attributes",
"permission": "https://jans.io/oauth/config/attributes.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "attributes",
"permission": "https://jans.io/oauth/config/attributes.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "attributes",
"permission": "https://jans.io/oauth/config/attributes.delete",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "acrs",
"permission": "https://jans.io/oauth/config/acrs.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "acrs",
"permission": "https://jans.io/oauth/config/acrs.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "acrs",
"permission": "https://jans.io/oauth/config/acrs.delete",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scopes",
"permission": "https://jans.io/oauth/config/scopes.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scopes",
"permission": "https://jans.io/oauth/config/scopes.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scopes",
"permission": "https://jans.io/oauth/config/scopes.delete",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scripts",
"permission": "https://jans.io/oauth/config/scripts.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scripts",
"permission": "https://jans.io/oauth/config/scripts.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scripts",
"permission": "https://jans.io/oauth/config/scripts.delete",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "clients",
"permission": "https://jans.io/oauth/config/openid/clients.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": true
},
{
"tag": "clients",
"permission": "https://jans.io/oauth/config/openid/clients.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "clients",
"permission": "https://jans.io/oauth/config/openid/clients.delete",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "smtp",
"permission": "https://jans.io/oauth/config/smtp.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "smtp",
"permission": "https://jans.io/oauth/config/smtp.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "smtp",
"permission": "https://jans.io/oauth/config/smtp.delete",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "logging",
"permission": "https://jans.io/oauth/config/logging.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "logging",
"permission": "https://jans.io/oauth/config/logging.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "resources",
"permission": "https://jans.io/oauth/config/uma/resources.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "resources",
"permission": "https://jans.io/oauth/config/uma/resources.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "resources",
"permission": "https://jans.io/oauth/config/uma/resources.delete",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "ldap",
"permission": "https://jans.io/oauth/config/database/ldap.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "ldap",
"permission": "https://jans.io/oauth/config/database/ldap.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "ldap",
"permission": "https://jans.io/oauth/config/database/ldap.delete",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "jwks",
"permission": "https://jans.io/oauth/config/jwks.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "jwks",
"permission": "https://jans.io/oauth/config/jwks.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "fido2",
"permission": "https://jans.io/oauth/config/fido2.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "fido2",
"permission": "https://jans.io/oauth/config/fido2.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "message",
"permission": "https://jans.io/oauth/config/message.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "message",
"permission": "https://jans.io/oauth/config/message.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "cache",
"permission": "https://jans.io/oauth/config/cache.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "cache",
"permission": "https://jans.io/oauth/config/cache.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "sql",
"permission": "https://jans.io/oauth/config/database/sql.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "sql",
"permission": "https://jans.io/oauth/config/database/sql.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "properties",
"permission": "https://jans.io/oauth/jans-auth-server/config/properties.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "properties",
"permission": "https://jans.io/oauth/jans-auth-server/config/properties.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "stats",
"permission": "https://jans.io/oauth/config/stats.readonly",
"description": null,
"defaultPermissionInToken": true,
"essentialPermissionInAdminUI": true
},
{
"tag": "stats",
"permission": "jans_stat",
"description": null,
"defaultPermissionInToken": true,
"essentialPermissionInAdminUI": false
},
{
"tag": "adminui_role",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "adminui_role",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "adminui_permission",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": true
},
{
"tag": "adminui_permission",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "adminui_rolePermissionMapping",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": true
},
{
"tag": "adminui_rolePermissionMapping",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write",
"description": null,
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "adminui_license",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/license.readonly",
"description": null,
"defaultPermissionInToken": true,
"essentialPermissionInAdminUI": true
},
{
"tag": "adminui_license",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/license.write",
"description": null,
"defaultPermissionInToken": true,
"essentialPermissionInAdminUI": true
},
{
"tag": "openid",
"permission": "openid",
"description": null,
"defaultPermissionInToken": true,
"essentialPermissionInAdminUI": false
},
{
"tag": "ssa",
"permission": "https://jans.io/oauth/config/ssa.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "ssa",
"permission": "https://jans.io/auth/ssa.admin",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "ssa",
"permission": "https://jans.io/auth/ssa.portal",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "ssa",
"permission": "https://jans.io/auth/ssa.developer",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "organization",
"permission": "https://jans.io/oauth/config/organization.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "organization",
"permission": "https://jans.io/oauth/config/organization.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "user",
"permission": "https://jans.io/oauth/config/user.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "user",
"permission": "https://jans.io/oauth/config/user.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "user",
"permission": "https://jans.io/oauth/config/user.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "agama",
"permission": "https://jans.io/oauth/config/agama.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "agama",
"permission": "https://jans.io/oauth/config/agama.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "agama",
"permission": "https://jans.io/oauth/config/agama.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "session",
"permission": "https://jans.io/oauth/jans-auth-server/session.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "session",
"permission": "https://jans.io/oauth/jans-auth-server/session.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "plugin",
"permission": "https://jans.io/oauth/config/plugin.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "properties",
"permission": "https://jans.io/oauth/config/properties.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "properties",
"permission": "https://jans.io/oauth/config/properties.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "authorizations",
"permission": "https://jans.io/oauth/client/authorizations.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "authorizations",
"permission": "https://jans.io/oauth/client/authorizations.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "jans-link",
"permission": "https://jans.io/oauth/config/jans-link.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "jans-link",
"permission": "https://jans.io/oauth/config/jans-link.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "saml-config",
"permission": "https://jans.io/oauth/config/saml-config.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "saml-config",
"permission": "https://jans.io/oauth/config/saml-config.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "saml-scope",
"permission": "https://jans.io/oauth/config/saml-scope.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "saml-scope",
"permission": "https://jans.io/oauth/config/saml-scope.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "webhook",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "webhook",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/webhook.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "webhook",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/webhook.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "properties",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly",
"description": "",
"defaultPermissionInToken": true,
"essentialPermissionInAdminUI": false
},
{
"tag": "properties",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/properties.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "logging",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/logging.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": true
},
{
"tag": "scim_bulk",
"permission": "https://jans.io/scim/bulk",
"description": "Send requests to the bulk endpoint",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim_users",
"permission": "https://jans.io/scim/users.write",
"description": "Modify user resources",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim_fido",
"permission": "https://jans.io/scim/fido.read",
"description": "Query fido resources",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim",
"permission": "https://jans.io/scim/all-resources.search",
"description": "Access the root .search endpoint",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim_fido2",
"permission": "https://jans.io/scim/fido2.read",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim_groups",
"permission": "https://jans.io/scim/groups.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim_users",
"permission": "https://jans.io/scim/users.read",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim_groups",
"permission": "https://jans.io/scim/groups.read",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim_fido2",
"permission": "https://jans.io/scim/fido2.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim_fido",
"permission": "https://jans.io/scim/fido.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "revoke_session",
"permission": "revoke_session",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "data",
"permission": "https://jans.io/oauth/config/data.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": true
},
{
"tag": "fido2",
"permission": "https://jans.io/oauth/config/fido2.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "jwks",
"permission": "https://jans.io/oauth/config/jwks.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim_config",
"permission": "https://jans.io/scim/config.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "scim_config",
"permission": "https://jans.io/scim/config.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "adminui_role",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "adminui_permission",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "adminui_rolePermissionMapping",
"permission": "https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "saml",
"permission": "https://jans.io/oauth/config/saml.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "saml",
"permission": "https://jans.io/oauth/config/saml.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "idp_config",
"permission": "https://jans.io/idp/config.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "idp_config",
"permission": "https://jans.io/idp/config.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "idp_realm",
"permission": "https://jans.io/idp/realm.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "idp_realm",
"permission": "https://jans.io/idp/realm.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "idp_saml",
"permission": "https://jans.io/idp/saml.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "idp_saml",
"permission": "https://jans.io/idp/saml.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "idp_saml",
"permission": "https://jans.io/idp/saml.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "app-version",
"permission": "https://jans.io/oauth/config/app-version.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "kc-link-config",
"permission": "https://jans.io/oauth/kc-link-config.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "kc-link-config",
"permission": "https://jans.io/oauth/kc-link-config.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock-config",
"permission": "https://jans.io/oauth/lock-config.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock-config",
"permission": "https://jans.io/oauth/lock-config.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "jans_asset",
"permission": "https://jans.io/oauth/config/jans_asset-read",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "jans_asset",
"permission": "https://jans.io/oauth/config/jans_asset-write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "jans_asset",
"permission": "https://jans.io/oauth/config/jans_asset-delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock_audit",
"permission": "https://jans.io/oauth/lock/audit.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock_audit",
"permission": "https://jans.io/oauth/lock/audit.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock_health",
"permission": "https://jans.io/oauth/lock/health.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock_health",
"permission": "https://jans.io/oauth/lock/health.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock_log",
"permission": "https://jans.io/oauth/lock/log.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock_log",
"permission": "https://jans.io/oauth/lock/log.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock_telemetry",
"permission": "https://jans.io/oauth/lock/telemetry.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock_telemetry",
"permission": "https://jans.io/oauth/lock/telemetry.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "token",
"permission": "https://jans.io/oauth/config/token.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "token",
"permission": "https://jans.io/oauth/config/token.write",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "token",
"permission": "https://jans.io/oauth/config/token.delete",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "agama-repo",
"permission": "https://jans.io/oauth/config/agama-repo.readonly",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
},
{
"tag": "lock",
"permission": "https://jans.io/oauth/lock/read-all",
"description": "",
"defaultPermissionInToken": false,
"essentialPermissionInAdminUI": false
}
],
"rolePermissionMapping": [
{
"role": "admin",
"permissions": [
"https://jans.io/oauth/config/attributes.readonly",
"https://jans.io/oauth/config/attributes.write",
"https://jans.io/oauth/config/attributes.delete",
"https://jans.io/oauth/config/acrs.readonly",
"https://jans.io/oauth/config/acrs.write",
"https://jans.io/oauth/config/acrs.delete",
"https://jans.io/oauth/config/scopes.readonly",
"https://jans.io/oauth/config/scopes.write",
"https://jans.io/oauth/config/scopes.delete",
"https://jans.io/oauth/config/scripts.readonly",
"https://jans.io/oauth/config/scripts.write",
"https://jans.io/oauth/config/scripts.delete",
"https://jans.io/oauth/config/openid/clients.readonly",
"https://jans.io/oauth/config/openid/clients.write",
"https://jans.io/oauth/config/openid/clients.delete",
"https://jans.io/oauth/config/smtp.readonly",
"https://jans.io/oauth/config/smtp.write",
"https://jans.io/oauth/config/smtp.delete",
"https://jans.io/oauth/config/logging.readonly",
"https://jans.io/oauth/config/logging.write",
"https://jans.io/oauth/config/uma/resources.readonly",
"https://jans.io/oauth/config/uma/resources.write",
"https://jans.io/oauth/config/uma/resources.delete",
"https://jans.io/oauth/config/database/ldap.readonly",
"https://jans.io/oauth/config/database/ldap.write",
"https://jans.io/oauth/config/database/ldap.delete",
"https://jans.io/oauth/config/jwks.readonly",
"https://jans.io/oauth/config/jwks.write",
"https://jans.io/oauth/config/fido2.readonly",
"https://jans.io/oauth/config/fido2.write",
"https://jans.io/oauth/config/message.readonly",
"https://jans.io/oauth/config/message.write",
"https://jans.io/oauth/config/cache.readonly",
"https://jans.io/oauth/config/cache.write",
"https://jans.io/oauth/config/database/sql.readonly",
"https://jans.io/oauth/config/database/sql.write",
"readonly",
"https://jans.io/oauth/config/stats.readonly",
"jans_stat",
"https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/license.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/license.write",
"https://jans.io/scim/bulk",
"https://jans.io/scim/users.write",
"https://jans.io/scim/fido.read",
"https://jans.io/scim/all-resources.search",
"https://jans.io/scim/fido2.read",
"https://jans.io/scim/groups.write",
"https://jans.io/scim/users.read",
"https://jans.io/scim/groups.read",
"https://jans.io/scim/fido2.write",
"https://jans.io/scim/fido.write",
"https://jans.io/oauth/jans-auth-server/config/properties.write",
"https://jans.io/auth/ssa.admin",
"https://jans.io/auth/ssa.portal",
"https://jans.io/auth/ssa.developer",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/webhook.delete",
"https://jans.io/oauth/jans-auth-server/config/adminui/properties.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/properties.write",
"https://jans.io/oauth/jans-auth-server/config/adminui/logging.write",
"https://jans.io/oauth/jans-auth-server/session.delete",
"revoke_session",
"https://jans.io/oauth/config/data.readonly",
"https://jans.io/oauth/config/ssa.delete",
"https://jans.io/oauth/jans-auth-server/config/properties.readonly",
"https://jans.io/oauth/config/fido2.delete",
"https://jans.io/oauth/config/jwks.delete",
"https://jans.io/scim/config.readonly",
"https://jans.io/scim/config.write",
"https://jans.io/oauth/config/organization.readonly",
"https://jans.io/oauth/config/organization.write",
"https://jans.io/oauth/config/user.readonly",
"https://jans.io/oauth/config/user.write",
"https://jans.io/oauth/config/user.delete",
"https://jans.io/oauth/config/agama.readonly",
"https://jans.io/oauth/config/agama.write",
"https://jans.io/oauth/config/agama.delete",
"https://jans.io/oauth/jans-auth-server/session.readonly",
"https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete",
"https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete",
"https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete",
"https://jans.io/oauth/config/plugin.readonly",
"https://jans.io/oauth/config/properties.readonly",
"https://jans.io/oauth/config/properties.write",
"https://jans.io/oauth/client/authorizations.readonly",
"https://jans.io/oauth/client/authorizations.delete",
"https://jans.io/oauth/config/jans-link.readonly",
"https://jans.io/oauth/config/jans-link.write",
"https://jans.io/oauth/config/saml.readonly",
"https://jans.io/oauth/config/saml.write",
"https://jans.io/oauth/config/saml-config.readonly",
"https://jans.io/oauth/config/saml-config.write",
"https://jans.io/oauth/config/saml-scope.readonly",
"https://jans.io/oauth/config/saml-scope.write",
"https://jans.io/idp/config.readonly",
"https://jans.io/idp/config.write",
"https://jans.io/idp/realm.readonly",
"https://jans.io/idp/realm.write",
"https://jans.io/idp/saml.readonly",
"https://jans.io/idp/saml.write",
"https://jans.io/idp/saml.delete",
"https://jans.io/oauth/config/app-version.readonly",
"https://jans.io/oauth/kc-link-config.readonly",
"https://jans.io/oauth/kc-link-config.write",
"https://jans.io/oauth/lock-config.readonly",
"https://jans.io/oauth/lock-config.write",
"https://jans.io/oauth/config/jans_asset-read",
"https://jans.io/oauth/config/jans_asset-write",
"https://jans.io/oauth/config/jans_asset-delete",
"https://jans.io/oauth/lock/audit.readonly",
"https://jans.io/oauth/lock/audit.write",
"https://jans.io/oauth/lock/health.readonly",
"https://jans.io/oauth/lock/health.write",
"https://jans.io/oauth/lock/log.readonly",
"https://jans.io/oauth/lock/log.write",
"https://jans.io/oauth/lock/telemetry.readonly",
"https://jans.io/oauth/lock/telemetry.write",
"https://jans.io/oauth/config/token.readonly",
"https://jans.io/oauth/config/token.write",
"https://jans.io/oauth/config/token.delete",
"https://jans.io/oauth/config/agama-repo.readonly",
"https://jans.io/oauth/lock/read-all",
"https://jans.io/oauth/config/database.readonly",
"https://jans.io/oauth/config/ssa.readonly",
"https://jans.io/oauth/config/ssa.write"
]
}
]
}
-
By default, the Admin UI will use the default configuration mapping for GUI access control and for accessing Config API endpoints.
-
After logging into the Admin UI for the first time after installation, the administrator can navigate to the
Home → Securitymenu and configure theAdmin UI Policy Store URLandConfig API Policy Store URL. Upon updating, the backend will call an endpoint to add the policy store URLs to the configuration, parse the policy stores, and update the role-to-scopes mapping in the Admin UI configuration.
-
The Admin UI will parse the policy stores and update the role-to-scopes mapping in its configuration every time the policy store URL is updated.
-
The embedded Cedarling in the Admin UI will use the configured policy store URL for GUI access control. The role-to-scopes mapping in the Admin UI configuration will be used to include only the mapped scopes in the token used for accessing Config API endpoints.
default entities
[
{
"uid": { "type": "Features", "id": "Dashboard"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "SystemAndMonitoring" }]
},
{
"uid": { "type": "Features", "id": "License"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "SystemAndMonitoring" }]
},
{
"uid": { "type": "Features", "id": "MAU"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "SystemAndMonitoring" }]
},
{
"uid": { "type": "Features", "id": "Security"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "SystemAndMonitoring" }]
},
{
"uid": { "type": "Features", "id": "Webhooks"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "SystemAndMonitoring" }]
},
{
"uid": { "type": "Features", "id": "Assests"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "SystemAndMonitoring" }]
},
{
"uid": { "type": "Features", "id": "AuditLogs"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "SystemAndMonitoring" }]
},
{
"uid": { "type": "Features", "id": "Clients"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "AuthServerAndConfiguration" }]
},
{
"uid": { "type": "Features", "id": "Scopes"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "AuthServerAndConfiguration" }]
},
{
"uid": { "type": "Features", "id": "Keys"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "AuthServerAndConfiguration" }]
},
{
"uid": { "type": "Features", "id": "AuthenticationServerConfiguration"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "AuthServerAndConfiguration" }]
},
{
"uid": { "type": "Features", "id": "Logging"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "AuthServerAndConfiguration" }]
},
{
"uid": { "type": "Features", "id": "SSA"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "AuthServerAndConfiguration" }]
},
{
"uid": { "type": "Features", "id": "Authentication"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "AuthServerAndConfiguration" }]
},
{
"uid": { "type": "Features", "id": "ConfigApiConfiguration"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "AuthServerAndConfiguration" }]
},
{
"uid": { "type": "Features", "id": "Sesison"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "AuthServerAndConfiguration" }]
},
{
"uid": { "type": "Features", "id": "Users"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "IdentityAndAccess" }]
},
{
"uid": { "type": "Features", "id": "Scripts"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "IdentityAndAccess" }]
},
{
"uid": { "type": "Features", "id": "UserClaims"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "IdentityAndAccess" }]
},
{
"uid": { "type": "Features", "id": "Cache"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "Service" }]
},
{
"uid": { "type": "Features", "id": "Persistance"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "Service" }]
},
{
"uid": { "type": "Features", "id": "SMTP"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "Service" }]
},
{
"uid": { "type": "Features", "id": "SCIM"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "Service" }]
},
{
"uid": { "type": "Features", "id": "FIDO"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "Service" }]
},
{
"uid": { "type": "Features", "id": "SAML"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "Service" }]
},
{
"uid": { "type": "Features", "id": "Lock"},
"attrs": {},
"parents": [{ "type": "ParentResource", "id": "Service" }]
}
]