Skip to content

Cedarling Integration Plan ‐ IV

Jump to bottom
Arnab Dutta edited this page Aug 8, 2025 · 9 revisions

Cedarling

Generation of Role-to-Cabilities mapping from policy-store

We will have following Top level Features in Admin UI:

  • Statistics
  • AuthServer
  • UserMgmt
  • UserClaims
  • Storage
  • SMTP
  • FIDO
  • SAML
  • AdminUIMgmt

So the Cedar Schema with above Top level Features will be :

namespace Jans {
	type Context = {
		"current_time"?: Long,
		"device_health"?: Set<String>,
		"fraud_indicators"?: Set<String>,
		"geolocation"?: Set<String>,
		"network"?: String,
		"network_type"?: String,
		"operating_system"?: String,
		"user_agent"?: String
	};

	type Url = {
		"host": String,
		"path": String,
		"protocol": String
	};

	type email_address = {
		"domain": String,
		"uid": String
	};

	entity Access_token = {
		"aud": String,
		"exp": Long,
		"iat": Long,
		"iss": TrustedIssuer,
		"jti"?: String,
		"nbf"?: Long,
		"scope"?: Set<String>
	};
	entity AdminUIFeatures in [RoleBasedFeatures];
	entity Role;
	entity RoleBasedFeatures;
	entity TrustedIssuer = { "issuer_entity_id": Url };
	entity User in [Role] = {
		"email" ?: email_address,
		"id_token" ?: id_token,
		"phone_number" ?: String,
		"sub": String,
		"userinfo_token" ?: Userinfo_token,
		"username" ?: String
	};
	entity Userinfo_token = {
		"aud": String,
		"birthdate"?: String,
		"email"?: email_address,
		"exp"?: Long,
		"iat"?: Long,
		"iss": TrustedIssuer,
		"jansAdminUIRole": Set<String>,
		"jti"?: String,
		"name"?: String,
		"phone_number"?: String,
		"sub": String
	};
	entity Workload = {
		"access_token"?: Access_token,
		"client_id": String,
		"iss": TrustedIssuer,
		"name"?: String,
		"rp_id"?: String,
		"spiffe_id"?: String
	};
	entity id_token = {
		"acr"?: String,
		"amr"?: Set<String>,
		"aud": String,
		"azp"?: String,
		"birthdate"?: String,
		"email"?: email_address,
		"exp": Long,
		"iat": Long,
		"iss": TrustedIssuer,
		"jti"?: String,
		"name"?: String,
		"phone_number"?: String,
		"role"?: Set<String>,
		"sub": String
	};
	action "AdminActions" appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "EditorActions" appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "ManagerActions" appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "ViewerActions" appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "StatisticsViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "AuthServerDeleteAction" in [Jans::Action::"AdminActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "AuthServerEditAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "AuthServerViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "UserMgmtDeleteAction" in [Jans::Action::"AdminActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "UserMgmtEditAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "UserMgmtViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "UserClaimsDeleteAction" in [Jans::Action::"AdminActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "UserClaimsEditAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "UserClaimsViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "StorageEditAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "StorageViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "SMTPEditAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "SMTPViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "SCIMEditAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "SCIMViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "FIDOEditAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "FIDOViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "SAMLEditAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "SAMLViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "AdminUIMgmtDeleteAction" in [Jans::Action::"AdminActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "AdminUIMgmtEditAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "AdminUIMgmtViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "JansLockEditAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
	action "JansLockViewAction" in [Jans::Action::"AdminActions", Jans::Action::"EditorActions", Jans::Action::"ManagerActions", Jans::Action::"ViewerActions"] appliesTo {
		principal: [User],
		resource: [RoleBasedFeatures, AdminUIFeatures],
		context: { }
	};
}

The capabilities will be grouped under the actions:

StatisticsViewAction

Permissions Description
https://jans.io/oauth/config/stats.readonly MAU, Token Issued Count, Access Tokens Graph
jans_stat -
https://jans.io/oauth/config/data.readonly /jans-config-api/api/v1/health/service-status

AuthServerDeleteAction

Permissions Description
https://jans.io/oauth/config/openid/clients.delete
https://jans.io/oauth/config/scopes.delete
https://jans.io/oauth/config/jwks.delete
https://jans.io/oauth/config/acrs.delete
https://jans.io/oauth/config/scripts.delete
https://jans.io/oauth/config/database/ldap.delete
https://jans.io/oauth/config/jans_asset-delete
https://jans.io/oauth/jans-auth-server/session.delete

AuthServerEditAction

Permissions Description
https://jans.io/oauth/config/openid/clients.write
https://jans.io/oauth/config/scopes.write
https://jans.io/oauth/config/jwks.write
https://jans.io/oauth/jans-auth-server/config/properties.write
https://jans.io/oauth/config/logging.write
https://jans.io/auth/ssa.admin
https://jans.io/auth/ssa.portal
https://jans.io/auth/ssa.developer
https://jans.io/oauth/config/acrs.write
https://jans.io/oauth/config/scripts.write
https://jans.io/oauth/config/database/ldap.write
https://jans.io/oauth/config/properties.write
https://jans.io/oauth/config/jans_asset-write

AuthServerViewAction

Permissions Description
https://jans.io/oauth/config/openid/clients.readonly
https://jans.io/oauth/config/scopes.readonly
https://jans.io/oauth/config/jwks.readonly
https://jans.io/oauth/jans-auth-server/config/properties.readonly
https://jans.io/oauth/config/logging.readonly
https://jans.io/oauth/config/acrs.readonly
https://jans.io/oauth/config/scripts.readonly
https://jans.io/oauth/config/database/ldap.readonly
https://jans.io/oauth/jans-auth-server/session.readonly
revoke_session
https://jans.io/oauth/config/properties.readonly
https://jans.io/oauth/config/jans_asset-read

UserMgmtDeleteAction

Permissions Description
https://jans.io/oauth/config/user.delete

UserMgmtEditAction

Permissions Description
https://jans.io/oauth/config/user.write

UserMgmtViewAction

Permissions Description
https://jans.io/oauth/config/user.readonly
https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly
https://jans.io/oauth/config/attributes.readonly

UserClaimsDeleteAction

Permissions Description
https://jans.io/oauth/config/attributes.delete

UserClaimsEditAction

Permissions Description
https://jans.io/oauth/config/attributes.write

UserClaimsViewAction

Permissions Description
https://jans.io/oauth/config/attributes.readonly

StorageEditAction

Permissions Description
https://jans.io/oauth/config/cache.write
https://jans.io/oauth/jans-auth-server/config/properties.write

StorageViewAction

Permissions Description
https://jans.io/oauth/config/cache.readonly
https://jans.io/oauth/jans-auth-server/config/properties.readonly

SMTPViewAction

Permissions Description
https://jans.io/oauth/config/smtp.readonly

SMTPEditAction

Permissions Description
https://jans.io/oauth/config/smtp.write

SCIMViewAction

Permissions Description
https://jans.io/scim/config.readonly

SCIMEditAction

Permissions Description
https://jans.io/scim/config.write

FIDOViewAction

Permissions Description
https://jans.io/oauth/config/fido2.readonly

FIDOEditAction

Permissions Description
https://jans.io/oauth/config/fido2.write

SAMLViewAction

Permissions Description
https://jans.io/oauth/config/saml-config.readonly

SAMLEditAction

Permissions Description
https://jans.io/oauth/config/saml-config.write

AdminUIMgmtViewAction

Permissions Description
https://jans.io/oauth/jans-auth-server/config/adminui/license.readonly
https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly
https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly
https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly
https://jans.io/oauth/jans-auth-server/config/adminui/webhook.readonly

AdminUIMgmtEditAction

Permissions Description
https://jans.io/oauth/jans-auth-server/config/adminui/license.write
https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write
https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write
https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write
https://jans.io/oauth/jans-auth-server/config/adminui/webhook.write

AdminUIMgmtDeleteAction

Permissions Description
https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete
https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete
https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete
https://jans.io/oauth/jans-auth-server/config/adminui/webhook.delete

JansLockViewAction

Permissions Description
https://jans.io/oauth/lock-config.readonly

JansLockEditAction

Permissions Description
https://jans.io/oauth/lock-config.write

This mapping will be stored in persistence of Janssen Auth Server in following tables

CREATE TABLE adminui_cedar_actions (
    doc_id varchar(64),
    dn varchar(128),
    action_name varchar(255), //e.g. JansLockViewAction, JansLockEditAction, AuthServerViewAction, AuthServerEditAction, AuthServerDeleteAction etc
    capabilities jsonb //list of capabilities mapped to action e.g.  ["https://jans.io/scim/config.write"]
);

Logic to convert policy-store to role-to-capabilities mapping

To recognize the roles, the code will identify the actions that are not members of other actions — for example, AdminActions, EditorActions, ViewerActions, etc. Let’s call these parent actions. The role name will then be derived by trimming the "Actions" suffix from the action name — for example, AdminActions becomes Admin.

To map the capabilities to a role, the code will collect the action names grouped under each parent action. For example, StatisticsViewAction, AuthServerEditAction, UserMgmtEditAction, etc., are grouped under EditorActions. The code will then refer to the adminui_cedar_actions table in persistence to find the capabilities mapped to those child actions. These capabilities will then be assigned to the role derived from the parent action.

Clone this wiki locally