Upgrade Realm admin to session admin

Hello, We have the following problem with AM 7.1.1, we are testing to remove the tokens and sessionhadle of a user through a rest call, but in order to have access to the user’s active sessions we need to log in as root administrator, this is useful for internal testing, but for Prod would be a security breach as the amadmin and password would be exposed to the public. We thought of giving the session permissions to the Realm adminUser, when we try to obtain the user’s session information with this Realm AdminUser credentials we do not have the permissions. how could we do this procedure.

The commands for the session we use is the following:
https://am.example.com:8443 (change for {{amUrl}})

Authentication as Admin (We use Same for Realm UserAdmin)
curl -k -X POST -H ‘X-OpenAM-Username: amadmin’ -H ‘X-OpenAM-Password: password’ -H ‘Content-Type: application/json’ -H ‘Accept-API-Version: resource=2.1’ {{amUrl}}/openam/json/realms/root/authenticate’

Get session
curl -k
–request GET
–header “iPlanetDirectoryPro: XBVyw.AAJTSAAIwMQ…
–header “Accept-API-Version: resource=3.1, protocol=1.0”
{{amUrl}}/openam/json/realms/root/realms//sessions?_queryFilter=username%20eq%20%22%22%20and%20realm%20eq%20%22%2F%22

Delete Session
curl -k
–request POST
–header “Content-Type: application/json”
–header “iPlanetDirectoryPro: AAIwMQ…”
–header “Accept-API-Version: resource=3.1, protocol=1.0”
–data ‘{
“sessionHandles”: [
“shandle:f-D66Gk-t-An8H*”]
}’
{{amUrl}}/openam/json/realms/root/realms/realm/sessions/?_action=logoutByHandle

In addition to the above I also need to remove the refresh token by rest call, but I can’t find any documentation about it.

Hi Danft
For user admins to be able to remove sessions they must have the following attribute in DS:

objectClass: iplanet-am-session-service
iplanet-am-session-destroy-sessions: [realm DN - see documentation below]

https://backstage.forgerock.com/docs/am/7.2/security-guide/securing-administration.html#delegate-realm-administration-revoke-sessions

1 Like