Working with Claims from an OAuth2 domain
Claims are key/value pairs that contain information about a user. The Bearer tokens contain the Claims for which the TDV policies can be applied to access specific data from the published TDV resources.
All the TDV functionalities supported by Domain Groups are supported by Claims (For example, Setting Resource Rights and Privileges, Row-Based and Column-Based Security Policy Assignments, Workload Management, etc.). Refer to the Administration Guide for the details about these functionalities.
Claims can be registered to an OAuth2 domain in TDV, using “Add Claim” option from the “Group Management” screen. To do this:
1. From the SECURITY tab, choose Group Management.
2. Click Add Group
3. Enter the Domain Name.
4. Enter the Claim Name. This is the claim that is part of the Bearer token.
5. Assign Rights and Privileges as needed.
6. Click OK.
Alternately, you can define the field “Claim Info JSON” while creating the domain and use the “Edit External Groups” option in the Domain Management page to add the claims into your domain.
When the Edit or Add External Claims window is displayed, the currently available OAuth2 Claims are displayed, and those Claims already selected for use within TDV are shown with a marked check box.
After adding an OAuth2 Claim to TDV, rights can be assigned and data sources can define privileges for the Claim to use resource definitions and data. In other words, Claim membership dictates the rights and privileges to use the TDV resources.
Adding a Claim to an OAuth2 Domain
Adding claims to an OAuth2 domain gives the TDV system a way to support differentiated access, and use of TDV-defined resources for selected claims without including the entire domain. Claims are basically principals recognized by the domain.
Set appropriate rights and privileges for OAUth2 Claims in the same way that TDV groups and users get assigned rights and privileges. Privileges are assigned at the individual resource level to Claims in order to access data through JDBC, ODBC, or Web services clients.
See
Managing Security for TDV Resources for more information on assigning Rights and Privileges and defining Row Based Security rules. Claims are synonymous to TDV Groups, except that there are no individual users who belong to a Claim. The Claim itself acts as an identity along with its signature that will be verified before giving access to protected data.
To add a claim from an OAuth2 domain
1. In Manager, choose SECURITY > Domain Management and select the OAuth2 domain by using the row selector at the left of the Domain table.
2. Click Edit External Groups at the bottom of the table.
The Add External Groups window displays all Claims in the OAuth2 domain.
3. Select those claims that you want to grant access to TDV resources.
You can use the navigation arrows and page numbers at the bottom of the window to display additional claims. You can also change the sort order by clicking the sort icon.
4. Click OK.
Removing a Claim from an OAuth2 Domain
Removing a claim from an OAuth2 domain deletes the OAuth2 claim and all implicit rights and privileges on the TDV Server.
To remove a claim from an OAuth2 domain
1. In Manager, choose SECURITY > Domain Management and use the row selector at the left of the Domain table to select the OAuth2 domain.
2. Click Edit External Groups.
The window displays all claims in the OAuth2 domain.
3. Select the claims to remove.
Use the navigation arrows and page numbers at the bottom of the window to display additional claims.
4. Click OK.
Viewing Claim Membership
The TDV administrator with Read All Users right can review and monitor Claim membership from the Manager.
To view a Claim membership in an OAuth2 domain
1. In Manager, choose SECURITY > Group Management.
2. Click on the Claim that you want to view and click on Edit Group to view/edit the Rights and Privileges assigned to a Claim.