Authorization Managers#
Introduction#
Authorization managers are configurable facilities responsible for making authorization decisions when the following protected resources are being accessed:
- GraphQL-based Application Programming Interfaces (API).
- System for Cross-domain Identity Management (SCIM) APIs.
- OAuth UserInfo endpoint.
Included Authorization Managers#
The Curity Identity Server includes the following authorization managers:
-
Groups authorization manager
Makes coarse-grained create-read-update-delete (CRUD) decisions based on group membership.
-
Attribute authorization manager
Allows for fine-grained access control to individual attributes, such as filtering read attributes or allowing and denying mutations to certain attributes.
-
Self Service authorization manager
Implements self-service policies, restricting access to only the resource owners.
-
Scopes authorization manager
Implements access control policies based on scopes.
Adding New Authorization Managers#
It is also possible to add new authorization managers by implementing them in SDK plugins. Those custom plugins must implement the AuthorizationManagerPluginDescriptor interface to provide an implementation of at least one of the possible authorization manager types:
- OAuthAuthorizationManager (OAuth authorization)
- ScimAuthorizationManager (SCIM resources authorization)
- GraphQLAuthorizationManager (GraphQL API authorization)
Configuration#
Authorization manager instances are created and configured as global facilities and then used in the profiles hosting the protected resources.
For instance, to protect the User Management GraphQL API exposed by a given profile:
- A global authorization manager instance should be created and configured.
- A reference to this authorization manager should be configured in that User Management profile.
It is also possible to configure references to authorization manager instances on certain applications, such as the DevOps Dashboard and the User Self-Service Portal. These will override the authorization manager configured in the profile hosting the protected resources.