-
Couldn't load subscription status.
- Fork 19
requirements
This feature implements a Cedar-based fine-grained authorization system for the Admin UI. The system will provide role-based access control with granular permissions for different types of users (Admin, Identity Manager, Security Auditor, Developer, Support Staff, End User) across various resources (AuthServer, User, OAuthClient, CustomScripts, etc.). The authorization system will use Cedar policies to evaluate permissions in real-time and ensure secure access to system resources.
User Story: As a system administrator, I want to define and manage role-based permissions using Cedar policies, so that I can control access to different parts of the Admin UI based on user roles.
- WHEN a Cedar policy is created THEN the system SHALL store it in the policy store
- WHEN a Cedar policy is updated THEN the system SHALL validate the policy syntax before storing
- WHEN a Cedar policy is deleted THEN the system SHALL remove it from the policy store and update authorization decisions
- IF a policy has syntax errors THEN the system SHALL reject the policy and return validation errors
- WHEN policies are loaded THEN the system SHALL validate all policies against the Cedar schema
User Story: As an Admin user, I want full control over all system resources, so that I can manage the entire Admin UI system effectively.
- WHEN an Admin user requests access to AuthServer config THEN the system SHALL permit view and update actions
- WHEN an Admin user requests user management actions THEN the system SHALL permit add, update, delete, view, lock, unlock, and reset_password actions
- WHEN an Admin user requests OAuth client management THEN the system SHALL permit add, update, delete, and view actions
- WHEN an Admin user requests custom script management THEN the system SHALL permit add, update, delete, and view actions
- WHEN an Admin user requests access to any system resource THEN the system SHALL evaluate their permissions against Admin role policies
User Story: As an Identity Manager, I want to manage user lifecycle and identity-related configurations, so that I can handle user provisioning and identity management tasks.
- WHEN an Identity Manager requests OAuth client management THEN the system SHALL permit add, update, delete, and view actions
- WHEN an Identity Manager requests custom script management THEN the system SHALL permit add, update, delete, and view actions
- WHEN an Identity Manager requests user management actions THEN the system SHALL permit user lifecycle operations
- WHEN an Identity Manager requests access to non-identity resources THEN the system SHALL deny access based on role restrictions
User Story: As a Security Auditor, I want read-only access to audit logs and security-related information, so that I can monitor system security without modifying configurations.
- WHEN a Security Auditor requests access to audit logs THEN the system SHALL permit view actions only
- WHEN a Security Auditor requests modification actions on any resource THEN the system SHALL deny the request
- WHEN a Security Auditor requests access to non-audit resources THEN the system SHALL deny access based on role restrictions
User Story: As a Developer, I want to manage OAuth clients and related configurations, so that I can develop and test applications that integrate with the system.
- WHEN a Developer requests OAuth client management THEN the system SHALL permit add, update, delete, and view actions
- WHEN a Developer requests access to other system resources THEN the system SHALL deny access based on role restrictions
- WHEN a Developer requests client secret operations THEN the system SHALL permit these actions for OAuth clients only
User Story: As Support Staff, I want limited access to help users with account issues, so that I can provide user support without compromising system security.
- WHEN Support Staff requests user lock/unlock actions THEN the system SHALL permit these actions
- WHEN Support Staff requests password reset actions THEN the system SHALL permit these actions
- WHEN Support Staff requests access to other system resources THEN the system SHALL deny access based on role restrictions
User Story: As an End User, I want to manage my own profile and credentials, so that I can maintain my account information.
- WHEN an End User requests to update their password THEN the system SHALL permit the action
- WHEN an End User requests to update their email THEN the system SHALL permit the action
- WHEN an End User requests to update their name THEN the system SHALL permit the action
- WHEN an End User requests access to other users' profiles THEN the system SHALL deny the request
- WHEN an End User requests administrative actions THEN the system SHALL deny the request
User Story: As a system integrator, I want the authorization system to evaluate permissions in real-time, so that access control decisions are always current and accurate.
- WHEN a user makes a request THEN the system SHALL evaluate Cedar policies in real-time
- WHEN policy evaluation succeeds THEN the system SHALL allow the requested action
- WHEN policy evaluation fails THEN the system SHALL deny the requested action and log the attempt
- WHEN policy evaluation encounters an error THEN the system SHALL deny the request and log the error
- WHEN multiple policies apply THEN the system SHALL follow Cedar's policy combination logic
User Story: As a system administrator, I want comprehensive logging of authorization decisions, so that I can audit access patterns and troubleshoot permission issues.
- WHEN an authorization decision is made THEN the system SHALL log the principal, action, resource, and decision
- WHEN a policy evaluation fails THEN the system SHALL log the failure reason and context
- WHEN unauthorized access is attempted THEN the system SHALL log the attempt with full context
- WHEN audit logs are requested THEN the system SHALL provide structured log data
- IF logging fails THEN the system SHALL continue operation but alert administrators
User Story: As a developer integrating with the system, I want a clear API for authorization checks, so that I can easily implement permission checks throughout the Admin UI.
- WHEN the authorization API is called THEN the system SHALL return a clear permit/deny decision
- WHEN authorization context is provided THEN the system SHALL use it in policy evaluation
- WHEN authorization fails THEN the system SHALL return structured error information
- WHEN batch authorization is requested THEN the system SHALL evaluate multiple permissions efficiently
- WHEN the API is called with invalid parameters THEN the system SHALL return validation errors