Description
Hello @eko,
I am working with Authz for managing authorizations across several applications, and I've encountered an issue related to restricted admin access and custom field checks.
I have several administrators for multiple applications, including Authz. I wish to allow these admins to access Authz, but with the restriction that they can only add new principals and assign them roles specific to their application. To implement this, I've added a custom field (e.g., application1=true) in the principal entity.
For role assignment, I've created roles with policies that check for the existence of this new field in the principal and restrict all access except for the principal list. However, when logging in with this new admin user, I expected to see the principal list but instead received an "access denied" error.
Questions/Requests:
Usecase Feasibility: Is my use case possible with Authz's current capabilities? Specifically, can I restrict admin users to only add new principals and assign roles based on a custom field in the principal?
Custom Field Checks: In addition to checking for equality, is there a way to implement a "contains" check for custom fields in Authz? This feature would be particularly useful for scenarios where a principal might belong to multiple applications.
Steps to Reproduce:
- Create a principal with a custom field (e.g., application1=true).
- Assign a role to this principal with policies that allow listing principals but restrict other accesses, checking for the custom field.
- Log in as the principal and attempt to access the principal list.
Expected Behavior:
The admin user should be able to see and manage the principal list based on the custom field's condition.
Actual Behavior:
Received an "access denied" error when attempting to access the principal list.
I appreciate any guidance or suggestions you can provide to resolve these issues or implement these features.