Role based access control (RBAC) using GLUU

By: Eduard Kruger user 27 Sep 2022 at 8:39 a.m. CDT

1 Response
Eduard Kruger gravatar
Good day, We are busy investigating using GLUU as our Identity Provider. I've searched on the Internet and the GLUU forums, but I cannot find anything that describes how to do RBAC using GLUU. For example, if we have a number of access control/security items, e.g. "View Dashboard", "Search history", etc, which we want to combine under a role (e.g. "User") for our SPA application, can we configure these roles/mappings using GLUU directly, or do we need to build our own "Role" system into our consuming application to achieve this? Below are a couple of screenshots from Azure DevOps' setup screens (as an example), which is what we would like to achieve: 1. Security/Access Items: ![](https://am3pap006files.storage.live.com/y4miNpa4uCbOx_BUlHC5qAdi4BFpau_iNyNBDyK8rLRyAa-O1mIQwl1uGqSl9Jcrq1pIb0r15wOLldKEMashE932amc5-8TpeXC06SctrmkryCMrnMjLzTgV7mZrMbVmtQ3qGrbScsN-7qBsA9H2iAV-Rq2NAZHiggMjQVPj7LJp57gd7SGwCjWe1aFPTbcEMlq?width=929&height=883&cropmode=none) 2. Roles security/access items linked to: ![](https://am3pap006files.storage.live.com/y4mOPlldC8DYFN2bY8jLMR3OUDpugPlwugrBaALRmDfDEq9hdH_aDutHyyEjUzxxJX4boSEgGQRSizDFZTDzlrUeXyFgIBhFBYcpoDhTolsxZt3ldzYKGe0Rr5-BYqpch5yAj5M37XC0RSucRfIlD5ovCr-srv5Pah7dyl1D2SiJq8RBiDM76o-aF7Zpbgm0qi-?width=1347&height=700&cropmode=none) Any help/links would be greatly appreciated.
Gluu 4.4 Ubuntu 22.0 Oxd 4.1 Ubuntu 22.0
closed

Answers

By Michael Schwartz Account Admin 12 Oct 2022 at 1:29 p.m. CDT

Copy
Michael Schwartz gravatar
Remember that Gluu is an Federated Identity Provider (IDP), not an Relying Party (RP). In the screenshot above, the Azure devops panel is acting as an RP. It is consuming role information from the IDP (Azure AD), and then enforcing policies in the application, like whether a person can delete a team. If you want to centralized RBAC, there are ways to do it. For example, you could implement a central authorization server, like OPA or OSO, and have your application call it, or map features to it. You could also map roles to OAuth scopes, and your application could use these for authorization. This topic is really worth of a Zoom call to discuss. Maybe you can schedule with @Davin.Cooke to discuss.

Post an answer