docs(admin-ui): access control using cedarling docs

docs/admin/admin-ui/access-control.md

@@ -0,0 +1,196 @@
+---
+tags:
+  - administration
+  - admin-ui
+  - access control
+  - cedarling
+  - security
+---
+
+# Access Control in Admin UI
+
+The role of the user logged-in to Gluu Flex Admin UI decides if the user will have access to a certain Admin UI's feature or not. After user authentication the user's role and other claims are packed in bundle of tokens (access_token, id_token and userinfo_token). [Cedarling](https://docs.jans.io/stable/cedarling) PDP embedded with GUI, processes the tokens and decides if the action (like Read, Write or Delete) is allowed on this resource (feature). The Cedarling's Token Based Access Control (TBAC) is used for managing access control in Gluu Flex Admin UI.
+
+## Admin UI Features (Resources)
+
+The Admin UI features (or resources) are categorised into following parent groups. This categorization is done for resource grouping in cedar policies used for governing the authorization decision taken by Cedarling.
+
+- System and monitoring
+    - Dashboard
+    - Health
+    - License
+    - MAU
+    - Settings
+    - Security
+    - Webhooks
+    - Assests
+    - AuditLogs
+- AuthServer and configuration
+    - Clients
+    - Scopes
+    - Keys
+    - AuthServerProperties
+    - Logging
+    - SSA
+    - Authn
+    - ConfigAPIPropeties
+    - Sesisons
+- Identity and Access
+    - Users
+    - Scripts
+    - UserClaims
+- Service
+    - Cache
+    - Persistance
+    - SMTP
+    - SCIM
+    - FIDO
+    - SAML
+    - Lock
+
+In the Policy Store we use [default_entities](https://docs.jans.io/stable/cedarling/cedarling-policy-store/#default-entities) to map the parent group with the sub features. For e.g. here we are showing the default entity json to map the features under `System and monitoring` parent group.
+
+```json
+{
+	"1694c954f8d9": {
+		"uid": {
+			"type": "Gluu::Flex::AdminUI::Resources::Features",
+			"id": "Dashboard"
+		},
+		"attrs": {},
+		"parents": [
+			{
+				"type": "Gluu::Flex::AdminUI::Resources::ParentResource",
+				"id": "SystemAndMonitoring"
+			}
+		]
+	},
+	"2694c954f8d8": {
+		"uid": {
+			"type": "Gluu::Flex::AdminUI::Resources::Features",
+			"id": "License"
+		},
+		"attrs": {},
+		"parents": [
+			{
+				"type": "Gluu::Flex::AdminUI::Resources::ParentResource",
+				"id": "SystemAndMonitoring"
+			}
+		]
+	},
+	"3694c954f8d7": {
+		"uid": {
+			"type": "Gluu::Flex::AdminUI::Resources::Features",
+			"id": "MAU"
+		},
+		"attrs": {},
+		"parents": [
+			{
+				"type": "Gluu::Flex::AdminUI::Resources::ParentResource",
+				"id": "SystemAndMonitoring"
+			}
+		]
+	},
+	"4694c954f8d6": {
+		"uid": {
+			"type": "Gluu::Flex::AdminUI::Resources::Features",
+			"id": "Security"
+		},
+		"attrs": {},
+		"parents": [
+			{
+				"type": "Gluu::Flex::AdminUI::Resources::ParentResource",
+				"id": "SystemAndMonitoring"
+			}
+		]
+	},
+	"6494c954f8d6": {
+		"uid": {
+			"type": "Gluu::Flex::AdminUI::Resources::Features",
+			"id": "Settings"
+		},
+		"attrs": {},
+		"parents": [
+			{
+				"type": "Gluu::Flex::AdminUI::Resources::ParentResource",
+				"id": "SystemAndMonitoring"
+			}
+		]
+	},
+...
+}
+```
+
+## Managing Admin UI's Policy Store
+
+After installation, Admin UI uses a default Policy Store for GUI access control. The logged-in user can use the [Cedarling configuration screen](./configuration.md#cedarling-configuration) to configure a remote Policy Store generated by [Agama-Lab](https://cloud.gluu.org/agama-lab) using its URL. When the Policy Store URL is configured, the backend parses the Policy Store to determine the roles and the role-to-scope mappings. The Policy Store is used for managing GUI access control. The aggregated role-to-scope mapping (obtained by parsing the Policy Store) ensures that only the mapped scopes are added in the authorization tokens to access the appropriate protected Config API endpoints.
+
+## Policies
+
+The Cedar policies in the Policy Store empowers the administrator with following:
+
+### MAnage the access control in Admin UI
+
+The Cedar policies are rules which decides if the logged in user can perform Read, Write or Delete action on a feature or not. By writing the appropriate cedar policies the administrator can manage access control in Admin UI. For e.g the below policy allows the user with role **admin** to perform **Read**, **Write** or **Delete** actions on all the features under the parent group **AuthServerAndConfiguration**.
+
+```
+@id("AdminCanManageAuthServerConfiguration")
+permit (
+  principal in Gluu::Flex::AdminUI::Role::"admin",
+  action in [Gluu::Flex::AdminUI::Action::"read",
+  Gluu::Flex::AdminUI::Action::"write",
+  Gluu::Flex::AdminUI::Action::"delete"],
+  resource in Gluu::Flex::AdminUI::Resources::ParentResource::"AuthServerAndConfiguration"
+);
+```
+
+Below policy gives the users with role **viewer** the **Read** access to all the features under the **IdentityAndAccess** parent group.
+
+```
+@id("ViewerCanViewUserIdentityAndAccess")
+permit (
+  principal in Gluu::Flex::AdminUI::Role::"viewer",
+  action in Gluu::Flex::AdminUI::Action::"read",
+  resource in Gluu::Flex::AdminUI::Resources::ParentResource::"IdentityAndAccess"
+);
+```
+
+Below policy gives the users with role **auditor** the **Read**, **Write** and **Delete** access to only the **Clients** feature of Admin UI.
+
+```
+@id("AuditorCanManageClients")
+permit (
+  principal in Gluu::Flex::AdminUI::Role::"auditor",
+  action in [Gluu::Flex::AdminUI::Action::"read",
+  Gluu::Flex::AdminUI::Action::"write",
+  Gluu::Flex::AdminUI::Action::"delete"],
+  resource in Gluu::Flex::AdminUI::Resources::Features::"Clients"
+);
+```
+
+### Adding new Roles in Admin UI
+
+To add new Admin UI user roles, the administrator just need to introduce the policies associated with those roles in the Policy Store. On saving the Policy Store the Admin UI parses it and aggregates the roles and role-to-scope mapping. The aggregated data is saved into the persistence.
+
+### Writing policies for Admin UI
+
+The principal element in a [Cedar policy](https://docs.cedarpolicy.com/) represents a user, service, or other identity that can make a request to perform an action on a resource in your application. We will learn how to write an Admin UI policy using a sample scenario: a logged-in user with the **admin** role can manage the **Auth Server and its configuration**.
+
+```
+@id("AdminCanManageAuthServerConfiguration")
+permit (
+  principal in Gluu::Flex::AdminUI::Role::"admin",
+  action in [Gluu::Flex::AdminUI::Action::"read",
+  Gluu::Flex::AdminUI::Action::"write",
+  Gluu::Flex::AdminUI::Action::"delete"],
+  resource in Gluu::Flex::AdminUI::Resources::ParentResource::"AuthServerAndConfiguration"
+);
+```
+**Principal :**
+We are using the administrator's **role** as principal while writing the policies for Admin UI. Here `Gluu::Flex::AdminUI::` is the namespace in cedar schema where the `Role` entity resides. The **admin** surrounded by inverted commas is the Entity Id of the **Role** entity and is basically the role name.
+
+**Action :**
+In this policy, we are allowing **Read**, **Write** and **Delete** actions on the resource. Here we have `action in [Gluu::Flex::AdminUI::Action::"read", Gluu::Flex::AdminUI::Action::"write", Gluu::Flex::AdminUI::Action::"delete"]`. The `Gluu::Flex::AdminUI::` is the namespace where all action entities reside.
+
+**Resource :**
+As we have categorised Admin UI features (or resources) into the parent groups, `resource in Gluu::Flex::AdminUI::Resources::ParentResource::"AuthServerAndConfiguration"` allows the user with role **admin** to perform **Read**, **Write** and **Delete** actions on all the features under **AuthServerAndConfiguration** parent group. Here `Gluu::Flex::AdminUI::Resources::` is the namespace where **ParentResource** entity resides. The **ParentResource** entity represents the parent group and **AuthServerAndConfiguration** in inverted commas is the entity id representing name of the parent group.

docs/admin/admin-ui/auth-server-interaction.md

@@ -97,10 +97,10 @@ To ensure security and access control, Gluu Flex Admin UI leverages API protecti
 
 1. The Jans Config API's endpoints are protected and can only be accessed using a token (`AT2`) with the required scopes.
 2. To generate an AT2, the frontend requests the Token Server via the backend. **The Token Server and Authorization Server can be the same or different.**
-3. The Token Server employs an introspection script that validates the UJWT and refers to the role-scope mapping in the Token Server persistence.
-4. The introspection script validates the UJWT and includes the appropriate scopes in AT2 based on the user's role.
+3. The Token Server employs an update-token script that validates the UJWT and refers to the role-scope mapping in the Token Server persistence.
+4. The update-token script validates the UJWT and includes the appropriate scopes in AT2 based on the user's role.
 5. The frontend receives AT2 and associated scopes from the backend.
-6. Features in the frontend are enabled or disabled based on the scopes provided in AT2. Refer this [doc](./admin-menu.md/#gui-access-control) for GUI access control.
+6. The scopes provided in AT2 determine which Config API–protected endpoints the Admin UI can access. Refer this [doc](./admin-menu.md/#gui-access-control) for GUI access control.
 
 ```mermaid
 
@@ -116,9 +116,8 @@ Jans Token Server->>Jans Token Server: Add scopes to token based on role (AT2)
 Jans Token Server->>Admin UI Backend: AT2
 Admin UI Backend->>Gluu Flex Admin UI: AT2
 Gluu Flex Admin UI->>Gluu Flex Admin UI:extracts scopes from AT2
-Gluu Flex Admin UI->>Gluu Flex Admin UI: GUI access control based on scopes from AT2
+Gluu Flex Admin UI->>Gluu Flex Admin UI: AT2 determine which Config API–protected endpoints the Admin UI can access
 ```
-
 ## Accessing Config-API Endpoints
 
 To access config-api endpoints, the following steps are taken:

docs/admin/admin-ui/configuration.md

@@ -7,76 +7,35 @@ tags:
 
 # Gluu Flex Admin UI Configuration
 
-This document outlines the configuration process for Gluu Flex Admin UI, with a focus on essential components stored in the Auth Server's persistence layer. These components include role-permission mapping, OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata.
+This document outlines the configuration process for Gluu Flex Admin UI, with a focus on essential components stored in the Auth Server's persistence layer. These components include Cedarling Configuration, OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata.
 
 ## Configuration Components
 
-### Role-Permission Mapping
+### Cedarling Configuration
 
-[Role-permission](./admin-menu.md/) mapping defines which administrative roles are granted specific permissions within the Gluu Flex Admin UI. This mapping ensures that administrators can only access and modify functionalities relevant to their roles.
+Gluu Flex Admin UI uses [Cedarling](https://docs.jans.io/stable/cedarling/) for GUI access control. The role of the user is mapped with specific permissions (scopes) to ensure that the user can only access and modify functionalities relevant to their roles.
 
-The mapping is stored in json format with following attributes.
+The Cedarling Policy Store configuration screen helps to configure the Policy Store used for the Admin UI access control. The Gluu Flex Admin UI uses a default Policy Store after installation for GUI access control. You need to configure a remote Cedarling Policy Store using its URL and Admin UI backend will automatically synchronize roles and role-to-scope mapping as per the schema and policies defined in the Policy Store.
 
-**Roles**
+![image](../../assets/admin-ui/cedarling-config.png)
 
-|Attribute Name|Description|
-|--------------|-----------|
-|roles|Array of all roles|
-|role|Role name|
-|description| Role description|
-|deletable|If set to `true` then entire role-permission mapping with respect to the role can be deleted. Default value: `false`|
+#### Policy Retrieval Point
 
-**Permissions**
+This feature is useful for setting PRP. It helps to prevent MITM attacks in production. There are 2 mods.
 
-|Attribute Name|Description|
-|--------------|-----------|
-|permissions|Array of all available permissions|
-|permission|Permission name|
-|description| Permission description|
-|defaultPermissionInToken|If set to `true`, it indicates that permission will need authentication and valid role during `/token` request to include in token|
+1. `Remote`: In this mode, Admin UI will always use the remote policy store URL to initialize Cedarling, fetch policies, and schema.
 
-**Mapping**
+2. `Default`: It is recommended to set it to Default for production. If set to Default, it will use the Admin-UI storage for Cedarling authorization. Enable Default mode and use the refresh button to store or update GitHub policies on the Admin-UI Server.
 
-|Attribute Name|Description|
-|--------------|-----------|
-|rolePermissionMapping| List of all role-permission mapping|
-|role|Role name|
-|permission|Array of all permission mapped to the role|
-
-**Sample role-permission mapping stored in persistence**
+#### Steps to configure Remote Policy Store URL 
 
-```text
-{
-  "roles": [
-    {
-      "role": "sample-role",
-      "description": "role description",
-      "deletable": false
-    }
-  ],
-  "permissions": [
-    {
-      "permission": "sample-permission1",
-      "description": "permission1 description",
-      "defaultPermissionInToken": false
-    },
-    {
-      "permission": "sample-permission2",
-      "description": "permission2 description",
-      "defaultPermissionInToken": true
-    }
-  ],
-  "rolePermissionMapping": [
-    {
-      "role": "sample-role",
-      "permissions": [
-        "sample-permission1",
-        "sample-permission2"
-      ]
-    }
-  ]
-}
-```
+ 1. Fork the project [GluuFlexAdminUIPolicyStore](https://github.com/GluuFederation/GluuFlexAdminUIPolicyStore/tree/agama-lab-policy-designer).
+ 2. Open the forked repository using [Agama Lab](https://cloud.gluu.org/agama-lab).
+ 3. Make the required modifications in the policies for Admin UI access control and save the changes.
+ 4. Copy the Policy Store URL.
+ ![image](../../assets/admin-ui/admin-ui-policy-store.png)
+ 5. Open Cedarling Policy Store configuration screen on Admin UI and add the copied Policy Store URL in `Admin UI Remote Policy Store` field.
+ 6. Set `Policy Retrieval Point` field to `Remote` to use the remote Policy Store URL for the GUI access control.
 
 ### OIDC Client Details for Auth Server
 
@@ -118,6 +77,17 @@ The information is stored in json format with following attributes.
 |uiConfig|Object with UI configuration attributes|
 |sessionTimeoutInMins|The admin UI will auto-logout after a period of inactivity defined in this field.|  
 
+uiConfig 
+
+|Attribute Name|Description|
+|--------------|-----------|
+|sessionTimeoutInMins|Admin UI Frontend sesiion out time|
+|allowSmtpKeystoreEdit|Allow to edit SMTP keystore fileds. The default value is `true`.|
+|cedarlingLogType|Set embeded Cedarling log-type in Admin UI. The allowed values are `off` and `std_out`.|
+|auiPolicyStoreUrl|The remote Policy Store URL|
+|auiDefaultPolicyStorePath|The path of the default Policy Store json file on Config Api pod.|
+|cedarlingPolicyStoreRetrievalPoint|The retrieval point of the Policy Store. The allowed values are `default` and `remote`.|
+
 ### OIDC Client Details for License Server
 
 Access to the License APIs is managed through OIDC client details. These details allows the Gluu Flex Admin UI Backend to generated access token to allow the retrieval of license-related information using license APIs.
@@ -181,7 +151,12 @@ The information is stored in json format with following attributes.
     }
   },
   "uiConfig": {
-    "sessionTimeoutInMins": 30
+    "sessionTimeoutInMins": 30,
+    "allowSmtpKeystoreEdit": true,
+    "cedarlingLogType":"off",
+    "auiPolicyStoreUrl": "",
+    "auiDefaultPolicyStorePath": "./custom/config/adminUI/policy-store.json",
+    "cedarlingPolicyStoreRetrievalPoint": "default"
   },
   "licenseConfig": {
     "ssa": "...ssa in jwt format...",

mkdocs.yml

@@ -141,6 +141,7 @@ nav:
         - 'Introduction': 'admin/admin-ui/introduction.md'
         - 'Design & Implementation':
           - 'Auth Server Interaction': 'admin/admin-ui/auth-server-interaction.md'
+          - 'Access Control': 'admin/admin-ui/access-control.md'
         - 'Configuration': 'admin/admin-ui/configuration.md'
         - 'Logs': 'admin/admin-ui/logs.md'
         - 'Left Navigation Menu':