Add group-based access control¶
To control access to your application based on the user's group, you can apply the Group-Based conditional authentication template (which is in the Access Control section). Users are redirected to an error page if the user does not belong to any of the groups configured in the template.
Scenario¶
Consider a scenario with two user groups, manager
and employee
. Login should be allowed to users assigned to these groups.
Prerequisites¶
-
You need to register an application with Asgardeo. You can register your own application or use one of the sample applications provided.
-
Create two user groups named
manager
andemployee
and assign user accounts to them. For instructions, see the following:
Configure the login flow¶
To enable conditional authentication:
-
On the Asgardeo Console, click Applications.
-
Select the relevant application and go to it's Login Flow tab.
-
Add group-based access control using your preferred editor:
To add group-based access control using the classic editor:
-
Click Start with default configuration to define the login flow starting with the
username and password
login. -
Turn on Conditional Authentication by switching the toggle on.
-
Select the Access Control > Group-Based template.
To add group-based access control using the visual editor:
-
Switch to the Visual Editor tab, and expand Predefined Flows > Conditional Login Flows > Access Control.
-
Click + ADD next to Group-Based to add the group-based access control script.
-
Click Confirm to replace any existing script with the selected predefined script.
Important
As a security measure, Asgardeo does not allow the usage of two consecutive periods (
..
) in authentication scripts. -
-
Update the following parameter in the script.
Parameter Description groupsToAllowAccess
An array of user groups that can access the application. For this scenario, enter manager
andemployee
. -
Click Update to confirm.
How it works¶
Shown below is the script of the group-based conditional authentication template for access control.
// This script will allow access for any user who belongs
// to one of the given groups.
// If the user is a member of the following groups, user will be given access.
var groupsToAllowAccess = ['manager','employee'];
// Error page to redirect unauthorized users,
// can be either an absolute url or relative url to server root, or empty/null
// null/empty value will redirect to the default error page
var errorPage = '';
// Additional query params to be added to the above url.
// Hint: Use i18n keys for error messages
var errorPageParameters = {
'status': 'Unauthorized',
'statusMsg': 'You are not authorized to login to this application.'
};
var onLoginRequest = function(context) {
executeStep(1, {
onSuccess: function (context) {
// Extracting authenticated subject from the first step.
var user = context.currentKnownSubject;
// Checking if the user is assigned to one of the given groups.
var isMember = isMemberOfAnyOfGroups(user, groupsToAllowAccess);
if (!isMember) {
sendError(errorPage, errorPageParameters);
}
}
});
};
Let's look at how this script works.
- When the first step of the authentication flow is complete, the onLoginRequest function retrieves the user from the context.
- The user and the configured list of groups are passed to the
isMemberOfAnyOfGroups
function. - The
isMemberOfAnyOfGroups
function, which is available in Asgardeo by default, verifies whether the given user belongs to any of the listed groups. - If the user belongs to any of the configured groups, the user will be able to log in successfully.
Note
Find out more about the scripting language in the Conditional Authentication API Reference.
Try it out¶
Follow the steps given below.
- Access the application URL.
- Try to log in as a user who belongs to the specified groups. This user will successfully log in to the application.
- Log out of the application.
-
Log in again as a user who does not belong to the specified groups. The user will see the following error.