Configure a mandatory application scope to define
application-specific authorization logic.
Before you begin
To use custom scope elements in your mandatory application scope, first
map the required scope elements to security checks. See
Mapping scope elements.
About this task
You can define a mandatory scope for your client application. When an
application attempts to access a protected resource, the security framework maps
the mandatory application scope to security checks. The framework runs these
checks (if exist) in addition to the security checks of the requested resource
scope. Follow the outlined procedure to define a mandatory application scope.
Procedure
Define the mandatory application scope by using one of the following
alternative methods: - Using the IBM MobileFirst™ Platform Operations
Console (the console)
- Select your application version from the Applications
section of the console's navigation sidebar, and then select the application
Security tab.
- In the Mandatory Application Scope section, select
Create New.
- In the Configure Mandatory Application Scope dialog
window, select a scope element or security check from the items in the
Select elements and security checks list, and select
Add. The selection is from among custom scope elements
that were mapped for your application, custom security checks defined in
adapters that are deployed to the same MobileFirst Server instance as your application, and the predefined MobileFirst security
checks.
Repeat
this step as needed to add more scope elements and security checks to the
scope.
To undo your configuration and eliminate the mandatory application
scope, in the Mandatory Application Scope section of the
console's application Security tab, delete all the scope
elements that you previously added.
- Editing the application-descriptor file
- Create a local copy of the application-descriptor JSON file. See Application configuration.
- Edit your local copy to define a mandatoryScope property
object, and set the property value to a scope string that contains a
space-separated list of your selected scope
elements:
"mandatoryScope": "ScopeElement1 [ScopeElement2 ...]"
A
scope element can be the name of a custom scope element that was mapped for your
application, a custom security check defined in an adapter that is deployed to
the same MobileFirst Server instance as your application, or a predefined MobileFirst security check.For example, the following definition configures a
mandatory application scope that contains the predefined
application-authenticity security check (
appAuthenticity) and
a custom
PincodeValidation scope element that was mapped for
the
application:
"mandatoryScope": "appAuthenticity PincodeValidation"
- Deploy your copy of the application-descriptor JSON file to MobileFirst Server. See Application configuration.
To undo your configuration and eliminate the mandatory application
scope, create a new copy of the application-descriptor file, and delete the
mandatoryScope property definition or set the value to an empty
string. Then redeploy the descriptor file to the server.
Results
After you successfully configure a mandatory application scope, you can see
your defined mandatory application scope in the Mandatory Application
Scope table on the application Security
console page. In addition, you can see the mandatory-scope property definition
in the application descriptor: in the console, go to the application
Configuration Files tab. In the
Application-Descriptor JSON File section you can see a
copy of the application-descriptor JSON file. Search for the
mandatoryScope property object in this file.