Lab 1.5 - Implement Fine-Grained Access Controls ================================================== Up to this point any authenticated user to the API is authorized to use them. In this section we will restrict user1's ability to create users, but will still be able to modify the user's employee number. Task 1 - Retrieve Group Membership Subsession Variable -------------------------------------------------------- .. note :: In order to implement fine-grained control the session variables that contain the data must be known. This first session shows you how to display the session variables and their values. 1. From the Jumpbox desktop click on the **BIG-IP1** Putty icon |image47| 2. Enter the command **sessiondump --delete all** to remove any existing APM sessions |image41| 3. Enter the command **tailf /var/log/apm**. Hit enter a few times to create some space on the screen |image84| 4. From Postman, Select the request **GET-Retrieve User Attributes-JWT-Pass**. The Authorization field should already be populated with User1's token. |image42| 5. Click **Send** 6. You receive a **200 OK** response status code with attributes for user1 in the body of the response |image31| .. Note :: Your SessionID will be different 7. Return to the CLI and examine the logs. You will see a message about a new subsession being created. Copy the subsession ID |image85| 8. Exit the logs using Ctrl+Z 9. Enter the command **sessiondump -subkeys ** |image86| 10. Scroll through input until you find the session variable for **subsession.oauth.scope.last.jwt.groups** |image87| Task 2 - Edit the per-request policy -------------------------------------- 1. Return to BIG-IP1's management interface in the browser and click on the **Access** tab located on the left side |image0| 2. Navigate to API Protection >> Profile. Click **Profile** to modify the previously created API protection Profile (not the + Plus symbol) |image48| 3. Click **Edit** Under Per-Request Policy |image49| 4. Click the **Allow** terminal located at the end of the **GET /aduser/create** branch |image72| 5. Select **Deny** 6. Click **Save** |image60| 7. Click the **+ (Plus Symbol)** on the GET /aduser/create branch |image50| 8. Click the **General Purpose** tab 9. Select **Empty** 10. Click **Add Item** |image51| 11. Enter the name **Claim Check** |image53| 12. Click the **Branch Rules** tab 13. Click the **Add Branch Rule** |image52| 14. Enter Name **CreateUser** 15. Click **Change** |image54| 16. Click the **Advanced** tab 17. Enter the string in the notes section to restrict access to only members of the **CreateUser** Group. 18. Click **Finished** .. Note :: expr {[mcget {subsession.oauth.scope.last.jwt.groups}] contains "CreateUser"} |image55| 19. Click **Save** |image56| 20. Click **Reject** on the CreateUser Branch to permit access |image57| 21. Select **Allow** 22. Click **Save** |image58| 23. Review the Policy Flow |image61| Task 3 - Test the Fine-Grained Access Control with user1 ----------------------------------------------------------- 1. From Postman select the request **GET-Create User-JWT-Pass** |image45| 2. Select the **Authorization** Tab |image43| 3. Select the previously created **User1** token from the **Available Tokens** dropdown 4. The **Token** field is now populated 5. Click **Send** 6. You receive a **403 Forbidden** response status code when using user1. User1 does not contain the proper claim data. |image26| Task 4 - Test the Fine-Grained Access Control with user2 ----------------------------------------------------------- 1. Select the request **GET-Create User-JWT-Pass** |image45| 2. Select the **Authorization** tab 3. Click **Get New Access Token** |image44| 4. Enter **User2** for the Token Name and review the Postman Configuration. Nothing else should need to be modified 5. Click **Request Token** |image101| 6. Login using Username: **user2**, Password: **user2** |image62| 7. Scroll down to the token and click **Use Token** 8. The **Token** field is now populated 9. Click **Send** 10. You receive a **200 OK** response status code when using user2. User2 does contain the proper claim data |image46| .. |image0| image:: /_static/class1/module1/image000.png :width: 800px .. |image1| image:: /_static/class1/module1/image001.png .. |image2| image:: /_static/class1/module1/image002.png .. |image3| image:: /_static/class1/module1/image003.png .. |image4| image:: /_static/class1/module1/image004.png .. |image5| image:: /_static/class1/module1/image005.png :width: 800px .. |image6| image:: /_static/class1/module1/image006.png :width: 800px .. |image7| image:: /_static/class1/module1/image007.png .. |image8| image:: /_static/class1/module1/image008.png .. |image9| image:: /_static/class1/module1/image009.png .. |image10| image:: /_static/class1/module1/image010.png .. |image11| image:: /_static/class1/module1/image011.png .. |image12| image:: /_static/class1/module1/image012.png :width: 800px .. |image13| image:: /_static/class1/module1/image013.png :width: 800px .. |image14| image:: /_static/class1/module1/image014.png :width: 800px .. |image15| image:: /_static/class1/module1/image015.png :width: 800px .. |image16| image:: /_static/class1/module1/image016.png :width: 800px .. |image17| image:: /_static/class1/module1/image017.png :width: 800px .. |image18| image:: /_static/class1/module1/image018.png .. |image19| image:: /_static/class1/module1/image019.png .. |image20| image:: /_static/class1/module1/image020.png .. |image21| image:: /_static/class1/module1/image021.png :width: 700px .. |image22| image:: /_static/class1/module1/image022.png .. |image23| image:: /_static/class1/module1/image023.png .. |image24| image:: /_static/class1/module1/image024.png .. |image25| image:: /_static/class1/module1/image025.png .. |image26| image:: /_static/class1/module1/image026.png .. |image27| image:: /_static/class1/module1/image027.png :width: 600px .. |image28| image:: /_static/class1/module1/image028.png .. |image29| image:: /_static/class1/module1/image029.png .. |image31| image:: /_static/class1/module1/image031.png .. |image32| image:: /_static/class1/module1/image032.png .. |image33| image:: /_static/class1/module1/image033.png :width: 800px .. |image34| image:: /_static/class1/module1/image034.png .. |image35| image:: /_static/class1/module1/image035.png .. |image36| image:: /_static/class1/module1/image036.png .. |image37| image:: /_static/class1/module1/image037.png .. |image38| image:: /_static/class1/module1/image038.png .. |image39| image:: /_static/class1/module1/image039.png .. |image40| image:: /_static/class1/module1/image040.png .. |image41| image:: /_static/class1/module1/image041.png .. |image42| image:: /_static/class1/module1/image042.png .. |image43| image:: /_static/class1/module1/image043.png .. |image44| image:: /_static/class1/module1/image044.png .. |image45| image:: /_static/class1/module1/image045.png .. |image46| image:: /_static/class1/module1/image046.png .. |image47| image:: /_static/class1/module1/image047.png .. |image48| image:: /_static/class1/module1/image048.png .. |image49| image:: /_static/class1/module1/image049.png :width: 800px .. |image50| image:: /_static/class1/module1/image050.png .. |image51| image:: /_static/class1/module1/image051.png .. |image52| image:: /_static/class1/module1/image052.png .. |image53| image:: /_static/class1/module1/image053.png .. |image54| image:: /_static/class1/module1/image054.png .. |image55| image:: /_static/class1/module1/image055.png .. |image56| image:: /_static/class1/module1/image056.png :width: 800px .. |image57| image:: /_static/class1/module1/image057.png .. |image58| image:: /_static/class1/module1/image058.png .. |image59| image:: /_static/class1/module1/image059.png .. |image60| image:: /_static/class1/module1/image060.png .. |image61| image:: /_static/class1/module1/image061.png :width: 800px .. |image62| image:: /_static/class1/module1/image062.png .. |image63| image:: /_static/class1/module1/image063.png .. |image72| image:: /_static/class1/module1/image072.png .. |image84| image:: /_static/class1/module1/image084.png :width: 800px .. |image85| image:: /_static/class1/module1/image085.png :width: 1200px .. |image86| image:: /_static/class1/module1/image086.png :width: 1200px .. |image87| image:: /_static/class1/module1/image087.png :width: 1200px .. |image101| image:: /_static/class1/module1/image101.png