Layer7 API Management

Expand all | Collapse all

Need an authorization mechanism for policies invocable by IIP users, which can be migrated/setup using gmu

  • 1.  Need an authorization mechanism for policies invocable by IIP users, which can be migrated/setup using gmu

    Posted Jul 03, 2017 07:17 AM

    We have some policies for which authorization is based on 'groups' defined in IIP. Now, we are looking to automate the process of setting up these policies and all associated resources in a new gateway instance using GMU (and restman). But though we are able to migrate users, restman does not seem to provide any option to create a group or to associate users with a group.
    Due to this limitation, we also looked at using 'roles' to authorize users instead of 'groups'. But it seems the roles functionality is only for defining administrative permissions and cannot be used for authentication/authorization inside policies.
    Can anyone please suggest if there are any options to manage IIP 'groups' in an automated manner via some API (Restman or any other) or to use 'roles' to define authentication/authorization within policies?



  • 2.  Re: Need an authorization mechanism for policies invocable by IIP users, which can be migrated/setup using gmu

    Posted Jul 05, 2017 02:24 AM

    It seems to me that the features are not completely implemented in the Gateway, because the assertion "Extract Attributes for authenticated user" should deliver the role information, but it doesn't for the internal IdP. But here we are able to work with the restman, which brings no benefit. When we use groups to check for authorization with the internal IdP then we can not configure it via restman. For us the configuration via restman is essential, because we use the GW in the cloud and must setupable from scratch everytime. Is there any recommendation to solve that?



  • 3.  Re: Need an authorization mechanism for policies invocable by IIP users, which can be migrated/setup using gmu
    Best Answer

    Broadcom Employee
    Posted Aug 03, 2017 01:03 AM

    We are currently tracking this as an idea on our community RESTMAN - IIP group handling if my observation are correct. Please let me know in this post and ensure to vote on the idea. Any use cases that you can add will help with work that is done for it.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support