1. OTIS Documentation
    1. Overview
    2. Deploying an OTIS Server
    3. Developer Documentation
      1. OTIS Functionality
      2. Samples
      3. OTIS RESTful Protocol Details
      4. Audit Logging
    4. Configuration Documentation
  2. Configuration Settings for Roles
    1. Authentication
    2. Assumable Roles
    3. Activate Role
    4. Release Role
    5. Provision/Deprovision Role
    6. Samples
  3. Configuration Settings for Activate Role
    1. Configuration
      1. Rule Format
      2. JavaScript
      3. Sample
  4. Configuration Settings for Activate Role at Authentication
    1. Invocation
    2. Configuration
      1. Rule Format
      2. JavaScript
      3. Sample
  5. Configuration Settings for Get Assumable Roles
    1. Invocation
    2. Configuration
      1. Rule Format
          1. TokenRule
          2. EntityAttrs
          3. JavaScript RoleInstantiation
          4. ContextFilter
          5. NativeContextFilter
      2. Rule Returns
        1. JavaScript EntityToRole
        2. JavaScript StringToRole
    3. Sample
  6. Configuration Settings for Provision/Deprovision Entity in Role
    1. Overview
    2. Configuration
      1. Rule Format
      2. JavaScript - Applies
      3. JavaScript - Evaluate
      4. Sample
  7. Configuration Settings for Release Role
    1. Configuration
      1. Rule Format
      2. JavaScript
      3. Sample

Configuration Settings for Activate Role at Authentication

The following section provides administrators with information on how to configure the policy that determines what roles are made active for users when the users authenticate. Documentation on how to configure the policy using XML and JavaScript constructs is provided below. General information on configuring roles is located at the Settings for Roles page.

Invocation

At the time a session is authenticated it is possible to automatically activate roles for that session. This will also result in the list of Assumable Roles roles being computed and cached.

Configuration

For an example of where this configuration should be placed in the Configuration file, see XML File Configuration Format.

Rule Format

Each rule under the Authentication element must meet the following requirements:

  • The actual name as specified by the Name attribute must be unique among its siblings. This is because duplicate names might result in one of the rules overriding the other. This name is displayed in error and debug messages.
  • The rule's Type attribute must be an htf:map.
  • There must be a child element named Evaluate. This element must be one of the following types:
    • htf:list
    • htf:string
    • xsd:anyURI
    • htf:jscriptexec
  • The Enabled element is optional. When present it must be of type xsd:boolean. If it is set to "false" then the rule is ignored.

JavaScript

When the Evaluate element is of type htf:jscriptexec, the resulting JavaScript can compute roles with any mechanism known to it. The role, or list of roles, may be returned using the JavaScript variable name RESULT. The following variables are Java objects and are always present in the JavaScript. You can access them via their Java interfaces.

  • authMethod - The authentication method that was used to authenticate, it is a java object class IAuthMethod.
  • authSession - The local authenticated sessionservice, it is a java object class IAuthSession.

Sample

        <Setting Name="Roles" Type="htf:map">
                <!-- Root most role configuration element, should be located under the OtisConfiguration element -->
                <Setting Name="JSSharedScope" Type="htf:jscriptscope">
                        importPackage(Packages.org.bandit.otis.impl);
                        importPackage(Packages.org.bandit.otis.api);

                        .....#Other fun javascript elements here

                </Setting>

                <Setting Name="Authentication" Type="htf:map">
                        <Setting Name="Activation 1" Type="htf:map">
                                <!-- the actual name must be unique among it's siblings and will be displayed in error and debug messages.
                                    the element must be of type htf:map -->
                                <Setting Name="Enabled" Type="xsd:boolean">true</Setting>
                                        <!-- Enabled is an optional element for turning the rule off and on in the configuration -->
                                        <Setting Name="Evaluate" Type="htf:list">
                                                <!-- The evaluate member must be an htf:list, an htf:string, an xsd:anyURI or an htf:jscriptexec. 
                                                Its evaluation will be assumed to be a list of roles compatible with the assumable roles list.
                                                If this returns a name not in the assumable roles list for that user, it will be ignored.-->
                                                <Setting Type="xsd:anyURI">RandomRole1</Setting>
                                        </Setting>
                                </Setting>
                                <Setting Name="Activation 2" Type="htf:map">
                                        <Setting Name="Enabled" Type="xsd:boolean">true</Setting>
                                        <Setting Name="JSSharedScope" Type="htf:ref">/Roles/JSSharedScope</Setting>
                                        <Setting Name="Evaluate" Type="htf:jscriptexec">
                                                        if ( authMethod.getAuthEntityId() == "some entity id")
                                                                RESULT = "RandomRole2";
                                        </Setting>
                                </Setting>                     
                </Setting>
...........