PolicyServer

PolicyServer Overview

  • Introduction
  • Policies
  • Tenants
  • Features and Licensing

PolicyServer Management UI

  • Management UI Overview
  • Authentication
  • Working With Policies
  • Permissions and Roles
  • Permission Assignments
  • Role Assignments
  • User Search
    • User Search Endpoint
    • Configuration
    • User Search Feature
      • Filtering and Paging
      • Selecting Users
      • Role Assignment
      • Selecting Users from the Application Role
  • Identity Role Search
  • Working with Tenants
  • Tenants and Policies
  • Tenant Hierarchy

PolicyServer Runtime API

  • Runtime API Overview
  • Runtime API Endpoints
  • Runtime API Security
  • .NET Runtime Client
  • ASP.NET Core Integration

PolicyServer Management API

  • Management API Overview
  • Management API Endpoints
  • Management API Security
  • User and Identity Role Search API
  • Search API Sample

Logging and Audit

  • Logging Overview
  • Audit Events
  • Troubleshooting

Integration

  • API Security
  • Azure AD as Token Issuer
  • Key Management
PolicyServer
  • User Search

User Search

Creating a Role Assignment based on the User ID requires you to know the user ID that will be returned from the identity system during login. This user ID will be presented to the PolicyServer runtime in the user “sub” claim.

PolicyServer provides a User Search feature that enables you to select from a list of users to create a Role Assignment using the selected User ID.

User Search Endpoint

If your license supports User Search, you can provide a a Web API endpoint to support searching and paging through users from your back end user store or identity system.

The Management UI calls the Management API user search endpoint if the feature is enabled. To enable the feature, the Management API must be configured to point at your user search Web API endpoint. From there, your Web API is responsible for responding to user search requests and return the appropriate list of users according to the request parameters.

../_images/ui-usersearch-components.png

Note

PolicyServer samples include a sample User Search API implementation (/management/CustomManagementSearch) to provide a starting point for the implementation.

Configuration

The Management API configuration for PolicyServer indicated by the management{} section, provides a setting for the base path to your user search Web API endpoint.

"management": {
  "userSearchUrl": "http://HOST/usersearch",
}

The Management API will use the specified Web API endpoint to satisfy requests to its User Search endpoint. As such, when the Management UI enables the User Search feature, the users returned will be under your control.

User Search Feature

When you select User Search from the navigation menu, you are taken to a page that will display a paged list of users from the configured User Search API endpoint you’ve configured. By default the results are not filtered by any search criteria. For each user, a user ID and a display name are presented.

../_images/ui-usersearchnofilter.png

Filtering and Paging

When you type search criteria into the search text box, the User Search API endpoint is called passing this criteria. It is up to your implementation of the User Search API to determine how to use the search criteria to filter results. The goal of the filter is to reduce the number of users to page through to a reasonable number manageable to the end user - in particular since many systems may have large numbers of users.

../_images/ui-usersearchfiltered.png

From the paging area, you can navigate to the first, last, previous or next page in the results. The User Search API is presented with the filter, and the page number to return so that it can respond accordingly. Ultimately the Management UI is presenting exactly what is returned from the request including the page navigation parameters.

Selecting Users

From the User Search page, you can select one or more users as you page. The selected users will be added to the selected list on the right hand panel. After selecting users, you can assign them to a one or more Application Role in a Policy.

../_images/ui-usersearchfilterednoselection.png ../_images/ui-usersearchfilteredselected.png

Role Assignment

After selecting one or more users, you can select the Assign to Role button. This takes you to a page that shows the list of selected users, and the available policies and application roles to which you can assign the user.

../_images/ui-usersearch-assigntorole.png

Once you select a role or more in the hierarchy, you will be able to select the Assign to Role button to confirm the assignment.

../_images/ui-usersearch-assigntoselectedrole.png

When the action is completed, you will navigate to the Manage Application Role for the selected role.

../_images/ui-usersearch-assigntoselectedrole-complete.png

Selecting Users from the Application Role

When managing a policy, you may want to select users for an Application Role while managing that Application Role. From the Manage Application Role page you can select Select Users to initiate this workflow.

../_images/ui-nouseridassignments.png

This takes you to the User Search in the context of an Application Role so that all user selections will be assigned to that role when you complete the workflow. As before, you can enter search criteria, filter the user results, and page through those results - selecting users as you go. Those users will be listed in the select user list.

../_images/ui-selectuser-listselection.png

To complete the workflow and create the new Role Assignments for each selected user ID, select Assign to [RoleName] Role where the RoleName is tailored to the current context.

../_images/ui-selectuser-listselection-complete.png
Previous Next

© Copyright 2018, Brock Allen, Dominick Baier, Michele Leroux Bustamante.

Built with Sphinx using a theme provided by Read the Docs.