Idea Details

limit tews call to only few users

Last activity 23 days ago
Sumeet Mahajan's profile image
01-21-2020 02:01 AM


Hello Team,

Problem:
We want to limit Identity Manager tews call only for few authorized users/service accounts. SiteMinder(SSO) is not present at environment.
As a self service, if an user mentions its userid for both login and for impersonation in tews call request, any user can make tews call. 

Enhancement:
We want to make sure that, only few users/service accounts by the virtue of either admin role membership or some other rule/policy are able to make tews call. Don't want to open IME for making tews call for all users.

Example:
Following is an example to elaborate on this further. A tews soap call to execute an admin task with wss auth:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdl="http://tews6/wsdl">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>USERID001</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"><WITH CORRECT PASSWORD></wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<wsdl:TaskContext>
<wsdl:admin_id>USERID001</wsdl:admin_id>
</wsdl:TaskContext>
</soapenv:Header>
<soapenv:Body>
<wsdl:EmployeeCreationTask>
<wsdl:EmployeeCreationTaskProfileTab>
<wsdl:_BAR_Application_BAR_>Active Directory</wsdl:_BAR_Application_BAR_>
<wsdl:_BAR_Access_BAR_>Domain Admin</wsdl:_BAR_Access_BAR_>
<wsdl:_PCT_DESCRIPTION_PCT_>Onboarding Employee</wsdl:_PCT_DESCRIPTION_PCT_>
</wsdl:EmployeeCreationTaskProfileTab>
</wsdl:EmployeeCreationTask>
</soapenv:Body>
</soapenv:Envelope>

<UsernameToken Username USERID001> and <admin_id USERID001> are same values of an user 'USERID001'. Meaning, same user is trying to login into IME as well as submitting request on his own behalf (example of self-service).

This user is member of an Admin Role which is attached with 'EmployeeCreationTask' Admin Task. So user is authorized to execute 'EmployeeCreationTask' Admin Task.

Impact:
Any user who is member of Admin Role can submit request like above by making soap call (say from postman/soap UI/curl).
We want the tews request to be submitted to IME only from authorized application/service accounts only.

Thanks,
Sumeet