I have a Policy Server where I'm creating resources & roles. The resources are guided by policies which is defined based on the roles. For ex. assume we have the following resources button1, button2, Submit, table2 & Roles like Google:NA:Admin, Yahoo:CHN:Admin, Google:CHN:User, Alphabet:EU:Admin, etc.. The user will be registering for a role by logging into the Policy Server site by providing username and password. I'm getting authorized resource list for each user from a server. The response from the server will be like the following for a username "greenUser" (the only parameter sent as part of the POST request to Policy Server API).
{"permit":[ "button1", "table2", "Role:Google:NA:Admin", "Submit" ] }
The requirement is to determine the Role of the user, Region, Company & the list of resources he has access. So, I created a resource on the same name of the "Role" and restricted the access in Policy Server for that particular Role. eg: I created a role "Google:NA:Admin" and created a policy to restrict the access to only role "Role:Google:NA:Admin". The intention is to find this resource as part of the response and to determine the Role the user is having. There is a possibility that a user can having multiple roles. eg. He can be an admin for Google (NA region) & Alphabet (EU region).
To determine the Region and Company from the roles. I created a JSON like the following:
{ "Roles" : [{ "Google" : [{ "NA" : ["Role:Google:NA:Admin", "Role:Google:NA:User"]},{ "CHN" : ["Role:Google:CHN:Admin", "Role:Google:CHN:User"]} ] }, { "Alphabet" : [{ "NA" : ["Role:Alphabet:NA:Admin", "Role:Alphabet:NA:User"]},{ "CHN" : ["Role:Alphabet:CHN:Admin", "Role:Alphabet:CHN:User"]} ] } }
I have created a method using Java which parses the entire JSON and if the value matches to the particular "Role" resource returned, then I'm capturing the Key (eg: CHN) as the Region & the key of the outer JSON Element as "Company".
I want to check if there is a better way to determine the Role, Region & Company of the user. The above mentioned JSON is my idea. I would love to hear if there is a better design or approach other than the JSON. Example Code snippets are appreciated.
Sorry for the long post. I tried my best to capture the complete requirement. Thanks in advance.
If the policyserver has an API to getRoles for a given User I would use that or create one instead (if possible). Adding roles as resource will be my last plan if all doors are closed.
Not clear about which system generates the company-country-roles JSON. Is it policy server or your application ? If it is policy server I would return array of policyNames (getRoles API). If your application is going to return this JSON I would discuss it with the consumer of the application service and decide if it meets their expectations. If there is no consumer I would just return array of Role Names to keep it simple