eIAM role requirements

The eIAM service provides a 2-tier role concept for access management. The administration of the roles takes place in the eIAM-AM. A distinction is made between coarse-grained and fine-grained roles. An important reason for this 2-level role concept is that no adjustments are necessary on the PEP when fine-grained roles are added or deleted in the eIAM-AM. The roles of a user from the eIAM-AM are delivered to the application as attributes in a SAML (assertion) after the application has successfully submitted a SAML AuthnRequest to the PEP.

Example of coarse-grained and fine-grained roles in a SAML assertion to the application:

<saml2:Attribute Name="http://schemas.eiam.admin.ch/ws/2013/12/identity/claims/role" a:OriginalIssuer="uri:eiam.admin.ch:feds" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AMT-SAMPLEAPPL1.ALLOW</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.eiam.admin.ch/ws/2013/12/identity/claims/role" a:OriginalIssuer="uri:eiam.admin.ch:feds" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AMT-SAMPLEAPPL1.SACHBEARBEITER</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.eiam.admin.ch/ws/2013/12/identity/claims/role" a:OriginalIssuer="uri:eiam.admin.ch:feds" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">AMT-SAMPLEAPPL1.TEAMLEITER</saml2:AttributeValue>
</saml2:Attribute>

Coarse-grained Role

A coarse-grained role controls whether a user is generally authorised to access the application. The coarse-grained role is checked and enforced by the eIAM Web PEP. Basically, eIAM distinguishes between the coarse-grained "Allow role" (.ALLOW) and the coarse-grained "Deny role" (.DENY). If the user does not have the required, coarse-grained Allow role for access to the resource, the user's request is already blocked on the eIAM Web PEP. The user's request for access to the resource is also blocked if the BVA has set the coarse-grained "deny role" for the user.

The absence of the required, coarse-grained role triggers the call of the eIAM-AccessRequest feature on the eIAM-Web PEP, with which the user can request the missing authorisation.

If the required, roughly-grained role is missing, a web application hosted outside the federal administration's networks must call up the eIAM-AccessRequest feature, with which the user can request the missing authorisation.

Comment
The application can also use the coarse-grained role for its authorisation if required, as this is also available in the role information of the SAML assertion to the application.

Naming convention for coarse-grained roles in eIAM

The naming convention for coarse-grained roles in eIAM is standardised and consists of the application name as it appears in the eIAM-AM and the qualifier for the role. A dot " . " is used as a separator.

Rough-grained Allow Role:
<application name from eIAM-AM>.ALLOW

Coarse-grained Deny role:<application name from eIAM-AM>.DENY

Fine-grained Roles

Fine-grained roles of a user are used to control access to web screens and data of an application. A user can have one or more fine-grained roles for an application.

Naming Conventions for fine-grained Roles in eIAM

The naming convention for fine-grained roles in eIAM is standardised and consists of the application name as it appears in the eIAM-AM and the qualifier for the role. A dot " . " is used as a separator.

<Application name from eIAM-AM>.Role