Page created: 6 Nov 2019 |
Page updated: 25 Mar 2020
The Consent Service's distinction between privileged and unprivileged requesters determines the type of operations that can be performed by requesters. During the authorization phase, the Consent servlet performs checks on both the bearer token claims (if present) and the auth DN to determine if the requester is privileged or unprivileged. These are summarized in the following table.
|Requester type||Description||Access determined by||Can create consent records||Can update consent records||Can delete consent records|
|Unprivileged||Requesters with no authority to operate on consent records other than their own.||A requester is considered unprivileged if it does not meet any of the criteria for a privileged requester. If using bearer token authentication, the access token must include a scope named by the unprivileged-consent-scope property of the Consent Service configuration. Also, an unprivileged requester can only perform actions on consent records where the subject DN matches the requester DN.||Yes. The subject/subjectDN and actor/actorDN values will be set based on the requester.||Yes, if the requester DN matches the subject DN.||No.|
|Privileged||A requester with the authority to perform any operation on any consent record.||When using basic authentication, a requester is considered privileged if the requester DN either has the bypass-acl privilege or is listed in the service-account-dn property of the Consent Service configuration. If using bearer token authentication, the access token must include a scope named by the privileged-consent-scope property of the Consent Service configuration.||Yes.||Yes.||Yes.|
Bearer token check
If a bearer token was used, the following checks are performed:
- If the Consent Service's audience property is configured, the bearer token's audience claim must match the configured value.
- If the bearer token contains a scope matching the Consent Service's privileged-scope-name property, then the requester is considered privileged.
- If not, the bearer token must have a scope matching the Consent Service's unprivileged-scope-name property, and the requester is considered unprivileged.
Basic authentication check
If basic authentication is used, the following checks are performed:
- If the auth DN has the LDAP privilege bypass-acl, the requester is privileged.
- If the auth DN is listed in the Consent Service's service-account-dn property, the requester is privileged.
- If not, the requester is considered unprivileged.