PIM-Perms Plugins

Subsystem-specific permission definitions for PIM, Offline, IGA, and PAM systems.

What's in This Repository

This repository contains permission plugins for each major subsystem:

• pim-perms-plugins - Plugin trait and registration system
• pim-perms-plugin-pim - Privileged Identity Management (26 permissions)
• pim-perms-plugin-offline - Offline Systems Management (30 permissions)
• pim-perms-plugin-iga - Identity Governance & Administration (43 permissions)
• pim-perms-plugin-pam - Privileged Access Management (31 permissions)

Quick Start

Prerequisites

• Rust 1.70+
• pim-perms-backend crates (models, core)

Build

# Build all plugins
cargo build --all

# Run tests
cargo test --all

# Lint
cargo clippy --all -- -D warnings

Structure

pim-perms-plugins/
├── Cargo.toml          # Workspace
├── crates/
│   ├── pim-perms-plugins/       # Plugin trait
│   ├── pim-perms-plugin-pim/
│   ├── pim-perms-plugin-offline/
│   ├── pim-perms-plugin-iga/
│   └── pim-perms-plugin-pam/
├── tests/              # Integration tests
└── test-utils/         # Shared test utilities

Documentation

Central Documentation: pim-perms-docs

Plugin-Specific:

• Plugin Architecture
• Implementation Guide
• Offline Plugin Security Plan - Detailed security plan for offline plugin

Plugin System

Each plugin defines:

1. Permissions: Resource + Action combinations
2. Workflows: Approval chains for sensitive operations
3. Custom Logic: Plugin-specific authorization rules

Example Plugin Structure

use pim_perms_plugins::PermissionPlugin;

pub struct PimPlugin;

impl PermissionPlugin for PimPlugin {
    fn name(&self) -> &str {
        "pim"
    }
    
    fn permissions(&self) -> Vec<Permission> {
        vec![
            Permission::new("pim", "credential", "view"),
            Permission::new("pim", "credential", "create"),
            // ... more permissions
        ]
    }
    
    fn workflows(&self) -> Vec<WorkflowDefinition> {
        vec![
            // Define approval workflows
        ]
    }
}

Permissions Overview

PIM Plugin (26 permissions)

• Credentials: view, create, update, delete, checkout
• Passwords: view, rotate, checkout, checkin
• Discovery: view, create, update, delete, run
• Jobs: view, create, update, delete, run, stop
• Systems: view, create, update, delete, connect

Offline Plugin (30 permissions)

See OFFLINE_PLUGIN_SECURITY_PLAN.md for complete details.

• Clients: view, create, update, delete, enroll
• Identities: view, create, update, delete, approve
• Groups: view, create, update, delete
• Policies: view, create, update, delete, deploy
• Recovery: view, initiate, approve, audit

IGA Plugin (43 permissions)

• Events: view, create, update, delete, process
• Destinations: view, create, update, delete, test
• Mappings: view, create, update, delete
• Queue: view, retry, delete, clear
• Certifications: view, create, update, approve, reject
• Compliance: view, reports, export

PAM Plugin (31 permissions)

• Vaults: view, create, update, delete
• Secrets: view, create, update, delete, checkout
• Sessions: view, monitor, record, terminate
• Break-Glass: use, approve, audit
• JIT Access: request, approve, revoke

Testing

Each plugin has comprehensive tests:

• Permission Definition Tests: Validate all permissions are properly defined
• Workflow Tests: Test approval chain logic
• Integration Tests: Test plugin registration and interaction with core

# Test specific plugin
cargo test -p pim-perms-plugin-offline

# Test all plugins
cargo test --all

# Check coverage
cargo tarpaulin --all

Dependencies

Plugins depend on the core backend:

[dependencies]
pim-perms-models = { git = "https://github.com/analog-pim/pim-perms-backend" }
pim-perms-core = { git = "https://github.com/analog-pim/pim-perms-backend" }
pim-perms-plugins = { path = "../pim-perms-plugins" }

Development

Adding a New Plugin

1. Create new crate: cargo new --lib pim-perms-plugin-{name}
2. Implement PermissionPlugin trait
3. Define permissions for your subsystem
4. Add workflows if needed
5. Write tests
6. Update workspace Cargo.toml

Adding Permissions to Existing Plugin

1. Add permission definition in src/permissions.rs
2. Add to plugin's permissions() method
3. Add tests
4. Update documentation
5. If high-risk, add approval workflow

CI/CD

Same as backend:

• Auto-testing on PR
• Auto-linting
• Coverage checks (75%+ required for plugins)

Contributing

See Backend README for contribution guidelines.

Contact

See main PIM-Perms Documentation for project overview.