Granular Access Rules
The granular access features of the dashboard allow you to control what resources users are allowed to authenticate to. This means that you as the identity provider have the power to limit access and perform authorisation decisions to a resource being accessed by a user. This means that you no longer need to rely on the service provider to make these decisions on your behalf.
Please note to use this feature you need to visit “Dashboard admin” -> “Statistics Settings” and setup the LDAP group attribute as mentioned in https://www.overtsoftware.com/dashboard-docs/statistics-settings/
Creating a Granular Access Rule
To add a new granular access rule simply click the “Add new” button, you will then be presented with a form to fill out
- Rule name – Here you can define a name for the rule you are creating. It’s best to use a recognisable name that best describes the logic you are trying to implement
- Entity ID – Here you set the entity ID of service provider/resource that this rule will apply to. Clicking on the input box will display a drop down list of service providers known to the IdP. You can also search for a specific service provider in the box by typing the SP’s name. You can select multiple SPs that you wish the rule to apply to, if you want to remove an SP from this list simply click on the name with your mouse and then press your keyboards backspace key. If you’ve set any friendly names for your service providers you will see them displayed in the drop down list otherwise it will display the SPs entity ID instead. If a specific SP is not displayed in the list it means that there have been no authentications to that SP found in your IdP logs
Once you’ve chosen an SP or SPs that you want this rule to apply to you then have two options; you can choose to deny everybody and only allow certain groups of users to access the SP by using the “Allow Groups” field. Or you can allow everybody access and only deny access to certain groups by using the “Deny Groups” field.
- Allow Groups – Clicking on the input box for allow groups will display a drop down list of LDAP groups that we can use to apply to the filter to. You can select as many LDAP groups from the drop down list as you like. Alternatively you can search for a group by typing in the group name in the input box. If you wish to remove a group from the list simply click the group name and press the backspace key on your keyboard. The LDAP groups in this list as mentioned earlier are populated from the “Group attribute” setting at https://www.overtsoftware.com/dashboard-docs/statistics-settings/. By setting a list of allowed groups in this field you will effectively be denying access to the chosen SP to all users except users who are members of the groups you’ve input into this box
- Deny Groups – Clicking on the input box for allow groups will display a drop down list of LDAP groups that we can use to apply to the filter to. You can select as many LDAP groups from the drop down list as you like. Alternatively you can search for a group by typing in the group name in the input box. If you wish to remove a group from the list simply click the group name and press the backspace key on your keyboard. The LDAP groups in this list as mentioned earlier are populated from the “Group attribute” setting at https://www.overtsoftware.com/dashboard-docs/statistics-settings/. By setting a list of deny groups in this field you will effectively be allowing access to the chosen SP to all users except users who are members of the groups you’ve input into this box
- Comments – Here you can enter some notes which will help you to understand the purpose of this rule, for example “Allowing all users to access the payroll system except students”
Once you’ve filled out the form and input the logic for your new rule you can save this by clicking the “Save” button.
When the rule has been saved it will take you back to the granular access rule table. We can download a tabbed separated list of all rules defined on the dashboard by clicking the “Download TSV” button in the top right hand corner which you can then open up in your favourite editor such as Microsoft Excel.
Finding Granular Access Rules
We can increase of decrease the number of rules displayed in the table by adjusting the “Show ‘x’ entries” drop down underneath the add and delete buttons to display more or less rules per page. You will also be about to navigate through the pages of rules by using the pagination links at the bottom of the table if your rules span across multiple pages.
Underneath the “Download TSV” button you also have a search box which will allow you to search the entire rule database for rule name / entity ID / LDAP groups which can be used to easily locate the rule you are looking for without having to scroll through multiple pages of rules.
Editing a Granular Access Rule
You may notice that within the table each row has clickable data displayed within it. By clicking on any highlighted piece of text it allows you to make inline changes to a rule directly in the rules table. When you click on an element of text a small modal window will appear that will allow you to input your new data. Once you have finished editing you can then click the ‘tick’ icon to save your changes or the ‘cross’ icon to cancel any changes. You can change the rule name / entity ID allow groups / deny groups and comments section in the same manner.
Enabling / Disabling / Changing Order of Rules
At the end of each row in the rule table you will see a green tick icon. This means that the rule is currently active on the IdP. You can choose to disable a rule by clicking on the green tick icon, the rule will then appear to be ‘greyed out’ meaning it’s currently not active. Rules can also be re-enabled by clicking on the tick icon to re-enable.
Using the arrow icon next to the enabled/disabled tick icon you can move rules around within the table. You can move a rule around within the table by clicking on this icon and dragging the rule to where you wish it be placed in the order of the rules. Rules at the beginning of the table take precedence to rules below so it’s important to think about the structure of your rules whilst creating them as if you deny a group of users from accessing a service provider at the top of the table you will not be able to grant them access by using rules beneath. This is where ordering the rules using the ‘move’ function becomes necessary.
Deleting a Granular Access Rule
To delete a rule or a set of rules simply select the rules in question by clicking the select box at the start of each row. You can highlight as many rules as you wish and then click the “Delete Selected” red button at the top of the page. You will then be prompted to confirm you wish to delete the rules before these are removed from the dashboard.
Auditing Granular Access Rules
If you’d like to perform auditing on the rules created to see which rules are denying a user access to a certain SP, or allowing them access to others you can visit the log viewer under “Diagnostics” -> “Log Viewer”. Here you will be able to see what rules were applied to a specific authentication, and what the outcome of that rule was (whether the user was allowed or denied access)
Editing ‘Access Denied’ Error Page
When users trigger a rule which denies them access they will be displayed an ‘access denied’ error page from within the IdP itself instead of a similar page which may or may not be presented by the SP. This allows you to create a unified error message experience for users and you can display information on the access denied page that you feel may help the user to understand the reason why they don’t have access, or to provide instructions on where the user can obtain help for their issue. This access denied page can be amended at the messages page found at “Configuration” -> “Appearance” -> “Messages”