Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Limit role to access certain instances of Identity Manager client

Owned by Karolin Hemmingsson (Unlicensed)
Last updated: Dec 18, 2023 by Josefin Klang (Deactivated)
2 min read

This article is valid for Smart ID 20.11.2 and later. 

This article describes how to use instance ID and role configuration to limit the access to a certain instance of Identity Manager Operator. For example, this can be useful if there are two instances which are intended for use on the internet and intranet, respectively. 

Step-by-step instruction

Set instance ID property

On Docker deployment, Smart ID 20.06 or later

 Update instance ID in docker-compose.yml

  1. Navigate to the docker\compose folder of the Identity Manager client instance, for example: 

    Example: docker-compose.yml folder

    \docker\compose\identitymanager\operator

  2. Open the file docker-compose.yml for editing.

  3. Add a system.properties.idmInstanceId entry with a unique and descriptive instance ID name: 

    Example: instance ID in system.properties
    services:
  idm-operator:
    ...
    labels:
		...
        - "system.properties.idmInstanceId=instanceName"

  4. Save the file.

On legacy installation, 3.12.x or older

 Update instance ID in system.properties

  1. Navigate to the WEB-INF\classes folder of the Identity Manager client instance, for example: 

    Example: system.properties folder

    \tomcat\webapps\prime_explorer\WEB-INF\classes

  2. Open the file system.properties for editing.

  3. Update idmInstanceId to a unique and descriptive name: 

    Example: instance ID in system.properties
    #In a multi-node env the instance ID is the value that uniquely identifies each Tomcat
idmInstanceId=instanceName
    The old property detailedUserInformationCreator.explorerInstanceId also still works for the same setting.
  4. Save the file. 

Set available instance IDs in role

 Update role configuration in Identity Manager Admin

To limit an Identity Manager role to only access certain instances, update the Instance Ids field in the Role configuration with one or more idmInstanceId values that were configured in system.properties.

For more information, see the section For roles: Limit access to certain instance IDs in Set permissions from Identity Manager users or roles.

Example use case: internet and intranet instances

 Example use case: internet and intranet instances of Identity Manager Operator

Settings

Instances of Identity Manager Operator:

  • instanceId = Internet
  • instanceId = Intranet

Roles: 

  • Administrator: limited to Intranet
  • User: all instances available.
    This is set by leaving the Instance Ids field empty in the Role settings.  

User:

  • admin, with assigned roles: Administrator, User

Resulting behavior

  • When the admin user logs into Identity Manager Operator using the Tomcat instance Intranetthey will have the role Administrator.
  • When the admin user logs into Identity Manager Operator using the Tomcat instance Internet, they will have the role User.


If no instanceId is set in system.properties, then a user that logs in to that instance will only be able to use roles that are available on every instance. 

With the scenario above, this means:

  • When the admin user logs in to an instance without instanceId, they will have the role User.

 

Related information

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions