Would it be possible to schedule a call to discuss the issue?

Yes , definitely. Let's see what Meg has to say and then schedule a call next week if needed. Thanks, Will

Great thanks Will! Conor

Hi Conor, --------------------------------------------------- > the 'https://hostname:3000/users' scope all the urls under users are accessible. As per UMA plugin design. if you get access for parent path then all other child path automatically protected. In your case, `/users` is already requested and get access permission for `/users` path(parent folder) so that all the things in `/users` path(folder) is protected. e.g. Take `/users` as a folder so if you register path `/users` with `policy1` then all the things which is in `/users` is protected, so `/users/1` and `/users/2` is already protected by uma policy `policy1`. --------------------------------------------------- Suppose, if you wanna run another policy on `/users/2` then you need to register this path again with another policy(e.g. policy2) so `policy2` will be execute for requested path `/users/2` and `policy1` will be execute for path `/users/[anything except 2]`. e.g. **Registered path** * /users ---> policy1 * /users/2 ---> policy2 **Request and auth** request | policy execute * /users ---> policy1 * /users/1 ---> policy1 * /users/3 ---> policy1 * /users/4 ---> policy1 * /users/2 ---> policy2 ----------------------------------------------------- if you have policies for every individual record then of course you need to register every individual record with corresponding policy. e.g. * /users ----> parent_policy * /users/1 ----> policy1 * /users/2 ----> policy2 * /users/3 ----> policy3 * /users/4 ----> policy4 ----------------------------------------------------------------------- This GG 1.0 docs will help you https://gluu.org/docs/gg/1.0/plugin/gluu-uma-pep/#dynamic-resource-protection. Please let me know, if you have face any problem `Info Note: we added wildcard path registration feature in GG 4.0 Beta` Thank you, Meghna Joshi

Hi Meghna, Thanks for that. That makes sense. So first of all we need to remove the parent url /users as a scope. One point I should have made in the original post is that the same policy is being used for all of the users. The reason why we don't need separate policies is because we're passing in the userId as a pushed claims token and it is being used in the decision logic. Do we need to register each unique user record as a scope even if they have the same policy attached? 1. /users/1 ----> policy1 2. /users/2 ----> policy1 3. /users/3 ----> policy1 4. /users/4 ----> policy1 Thanks Conor

Hi Conor, As per your requirement , You wanted to execute same policy every unique user record request then yes you need to register every each unique user record with same policy. This is the current UMA Design flow. Thank you, Meghna Joshi

Hi Conor, In CE 3.x versions it's possible to attach policy via UI or otherwise it's possible write script which would modify LDAP directly to add map policy to scope (e.g. `inum=OO11-BAFE,ou=scripts,o=gluu`). [UMA doc](https://gluu.org/docs/ce/admin-guide/uma/) In CE 4.0 we introduced admin API (REST) which allows to manipulate UMA objects. @Thomas Gasmyr.Mougang would you please clarify whether it's possible to attach policy to scope via admin API ? Thanks, Yuriy Z

Hi Yuriy, Thanks for the response. I'm getting a few questions about scalability with the requirement of securing each individual URI. e.g * /users/1 * /users/2 * ..... /users/1000000 If there are 1,000,000 user entries in an API that need to be secured individually this means that 1,000,000 URIs need to be registered in gluu gateway and 1,000,000 corresponding scopes need to be registered in Gluu? Does this seem feasible? Thanks, Conor

Just FYI we planned `Support Spontaneous Scopes for UMA 2` which should help to avoid creation of so many scopes. https://github.com/GluuFederation/oxAuth/issues/1133 Thanks, Yuriy Z

Hi Yuriy, That feature looks like what we need. So in gluu only one template scope will need to be registered and when requests come in for uris that match that template they will be created during ticket registration. Is this correct? Will all of the individual uris still need to be registered in gluu gateway? Thanks Conor

Hi Conor, > Is this correct? Yes, correct. > Will all of the individual uris still need to be registered in gluu gateway? I believe one registered URI will be enough. RS (here GG) will differentiate access based on scopes created during permission registration. To make it work we need to improve also oxd `/uma-rs-check-access` command to pass scope there explicitly. It's not the case right now. (Ticket scheduled here https://github.com/GluuFederation/oxd/issues/362) Thanks, Yuriy Z

Hi Yuriy, Thanks for that. for the moment we've registered every URL but we will switch to the spontaneous scopes approach when 4.1 is released. Thanks a lot! Conor