Lab 1.5 - Implement Fine-Grained Access Controls

Up to this point any authenticated user to the API is authorized to use them. In this section we will restrict user1’s ability to create users, but will still be able to modify the user’s employee number.

Task 1 - Retrieve Group Membership Subsession Variable

Note

In order to implement fine-grained control the session variables that contain the data must be known. This first session shows you how to display the session variables and their values.

  1. From the Jumpbox desktop click on the BIG-IP1 Putty icon

image47

  1. Enter the command sessiondump –delete all to remove any existing APM sessions

image41

  1. Enter the command tailf /var/log/apm. Hit enter a few times to create some space on the screen

image84

  1. From Postman, Select the request GET-Retrieve User Attributes-JWT-Pass. The Authorization field should already be populated with User1’s token.

image42

  1. Click Send
  2. You receive a 200 OK response status code with attributes for user1 in the body of the response

image31

Note

Your SessionID will be different

  1. Return to the CLI and examine the logs. You will see a message about a new subsession being created. Copy the subsession ID

image85

  1. Exit the logs using Ctrl+Z
  2. Enter the command sessiondump -subkeys <subsessionID>

image86

  1. Scroll through input until you find the session variable for subsession.oauth.scope.last.jwt.groups

image87

Task 2 - Edit the per-request policy

  1. Return to BIG-IP1’s management interface in the browser and click on the Access tab located on the left side

image0

  1. Navigate to API Protection >> Profile. Click Profile to modify the previously created API protection Profile (not the + Plus symbol)

image48

  1. Click Edit Under Per-Request Policy

image49

  1. Click the Allow terminal located at the end of the GET /aduser/create branch

image72

  1. Select Deny
  2. Click Save

image60

  1. Click the + (Plus Symbol) on the GET /aduser/create branch

image50

  1. Click the General Purpose tab
  2. Select Empty
  3. Click Add Item

image51

  1. Enter the name Claim Check

image53

  1. Click the Branch Rules tab
  2. Click the Add Branch Rule

image52

  1. Enter Name CreateUser
  2. Click Change

image54

  1. Click the Advanced tab
  2. Enter the string in the notes section to restrict access to only members of the CreateUser Group.
  3. Click Finished

Note

expr {[mcget {subsession.oauth.scope.last.jwt.groups}] contains “CreateUser”}

image55

  1. Click Save

image56

  1. Click Reject on the CreateUser Branch to permit access

image57

  1. Select Allow
  2. Click Save

image58

  1. Review the Policy Flow

image61

Task 3 - Test the Fine-Grained Access Control with user1

  1. From Postman select the request GET-Create User-JWT-Pass

image45

  1. Select the Authorization Tab

image43

  1. Select the previously created User1 token from the Available Tokens dropdown
  2. The Token field is now populated
  3. Click Send
  4. You receive a 403 Forbidden response status code when using user1. User1 does not contain the proper claim data.

image26

Task 4 - Test the Fine-Grained Access Control with user2

  1. Select the request GET-Create User-JWT-Pass

image45

  1. Select the Authorization tab
  2. Click Get New Access Token

image44

  1. Enter User2 for the Token Name and review the Postman Configuration. Nothing else should need to be modified
  2. Click Request Token

image101

  1. Login using Username: user2, Password: user2

image62

  1. Scroll down to the token and click Use Token
  2. The Token field is now populated
  3. Click Send
  4. You receive a 200 OK response status code when using user2. User2 does contain the proper claim data

image46