PDP access permissions restriction

Question

I'm using WSO2 Identity Server version 4.6.0.

I try to understand how WSO2 IS can be deployed is a correct way in order that a PEP send request to the PDP without giving to the authenticated user too many right at WSO2 IS level.

Indeed, I have noticed with the help of the thread below that the permission "Manage" must be set to the user in order that it can call the PDP:

Permissions to set in order enable acess to XACML PDP

I have tried to remove some sub permissions of the parent permission "Manage" but each time the call to the PDP return an "Access Denied".

My problem:

The permission "Manage" give too many access to a user just to call the PDP.

My question:

There is a way to avoid this issue ?

Answer 1

Yes.. I also agreed with you.. But to change this permission, you may need to modify the jar file of WSO2IS. Becuase it is already defined in the service.xml file of the jar file which exposed this EntitlementService. Please check here. However we can configure new permission by modifying this value, Let say... /permission/admin/manage/add/service is going to configure.

How to modify the jar file.

1. Locate entitlement jar file and open it.

file-roller wso2is-4.5.0/repository/components/plugins/org.wso2.carbon.identity.entitlement_4.2.0.jar

1. Locate service.xml file inside the META-INF and open it.

2. Then modify the value under EntitlementService configuration.

3. Restart the server.

Like that you can modify the permission for any pre-defined value. Also you can add new permission to above permission tree by adding new resource from the registry browser. If you browser to /_system/governance/permission/admin/manage using registry browser, you can define new collection with name attribute. Then it would show in the permission tree. I guess this would help you.