Admin Console
Web-based administration console providing security monitoring, unified policy management (Policy Center), unified identity management (Access Center), Zero Trust operations, and AI-powered policy generation.
Menu Structure
This page documents the OSS contexa-iam admin surface. The current default menu tree is created by AdminMenuService and exposes five top-level groups: Dashboard, Policy, Access, IAM, and Security. Zero Trust operations are currently presented under the Security group rather than as a separate top-level menu.
| Menu Group | Pages | Purpose | Condition |
|---|---|---|---|
| Dashboard | /admin, /admin/, /admin/dashboard | Security metrics, Zero Trust decision breakdown, threat events | Always |
| Policy | /admin/policy-center (Create with integrated resources, List, Simulator, Matrix) | Unified policy operations including resource review, policy authoring, simulation, and matrix inspection | Always |
| Access | /admin/access-center (Users, Groups, Roles, Overview) | Unified access management for user, group, role, and effective permission review | Always |
| IAM | Users, Groups, Roles, Permissions, Role Hierarchies, Password Policy, System Settings, Menu Management | Identity entities, hierarchy, password rules, and admin menu/system configuration | Always |
| Security | Security Monitor, Blocked Users, Session Management, IP Management | Zero Trust operations, incident follow-up, session control, and IP rule management | Always |
Controllers
Most admin controllers are served under the /admin base path and return Thymeleaf template views. Some controllers (for example PasswordChangeController) use different base paths.
| Controller | Base Path | Purpose |
|---|---|---|
DashboardController | /admin, /admin/, /admin/dashboard | Security overview with Zero Trust decision breakdown, authentication stats, and threat events |
PolicyCenterController | /admin/policy-center | Unified policy management for resources, quick/manual/AI creation, list, simulator, and matrix |
PolicyController | /admin/policies | Server-side policy CRUD route. Detail/edit flows render policydetails.html, while the current list experience is centered in Policy Center. |
PolicyBuilderController | /admin/policy-builder | Legacy builder controller. The standalone admin/policy-builder.html template is not present in the current OSS tree, and authoring is centered in Policy Center. |
ResourceAdminController | /admin/workbench/resources | Legacy resource-workbench route. The controller remains, but current OSS resource review is centered in Policy Center and the standalone admin/resource-workbench.html template is absent. |
AccessCenterController | /admin/access-center | Unified access management for users, groups, roles, CRUD subsets, and overview analytics |
SecurityMonitorController | /admin/security-monitor | Real-time security event viewer with dashboard drill-down filters |
UserManagementController | /admin/users | User CRUD with group assignment |
GroupController | /admin/groups | Group CRUD with role assignment |
RoleController | /admin/roles | Role CRUD with permission assignment |
PermissionController | /admin/permissions | Permission CRUD with managed resource linking |
RoleHierarchyController | /admin/role-hierarchies | Role hierarchy management for permission inheritance |
PasswordPolicyController | /admin/password-policy | Password policy configuration (length, complexity, special characters) |
SystemSettingsController | /admin/system-settings | Administrative system settings for the OSS admin surface |
AdminMenuController | /admin/menu-management | Admin menu management for the current menu tree |
BlacklistController | /admin/blacklist | Blocked user management with resolution workflows |
IpManagementController | /admin/ip-management | IP access rules (ALLOW/DENY) with CIDR support and expiration |
SessionManagementController | /admin/session-management | Active session tracking with forced invalidation and CSV export |
PasswordChangeController | /password-change | Password change form with policy validation |
Policy Center
Access: /admin/policy-center
The Policy Center is the unified hub for current OSS policy operations. The current OSS template exposes four operator surfaces: Create, List, Simulator, and Matrix. Resource review and permission definition are integrated into the Create surface; older routes such as /admin/workbench/resources and /admin/policy-builder still exist in code, but the primary OSS UI is policy-center.html.
Create Surface (Resources + Policy Creation)
The Create surface combines resource review/definition with the current policy creation modes.
- Resources area: Review discovered resources, define permissions, exclude or restore resources, and launch policy creation from the selected resource context.
- Quick Mode: Role-permission mapping with search and chip-based selection. Creates a basic ALLOW policy.
- Manual Mode: Full policy form with dynamic Target (URL/METHOD), Rule, and Condition (SpEL) editing. Directly creates Policy/PolicyTarget/PolicyRule/PolicyCondition entities.
- AI Mode: Assisted policy draft generation inside Policy Center using current roles, permissions, conditions, and policy context. The generated draft remains subject to the normal save, approval, and activation rules.
List Surface
Server-side paginated policy list with keyword search. Edit and delete actions are wired through POST-based form flows and detail pages.
Simulator Surface
Runs policy what-if checks against selected users, permissions, and conditions using the simulator APIs exposed from PolicyCenterController.
Matrix Surface
Builds the policy matrix view through the matrix APIs exposed by PolicyCenterController and PolicyMatrixService.
Security Monitor
Access: /admin/security-monitor
Real-time security event viewer based on the audit_log table. All queries use DB-level pagination to handle millions of records.
Dashboard Drill-Down
Dashboard links navigate to Security Monitor with pre-applied filters. The current dashboard exposes both Zero Trust decision cards and security indicator cards.
| Dashboard Indicator | Filter | Query |
|---|---|---|
| ZT Allow | ZT_ALLOW | eventCategory = 'SECURITY_DECISION' and decision = 'ALLOW' |
| ZT Challenge | ZT_CHALLENGE | eventCategory = 'SECURITY_DECISION' and decision = 'CHALLENGE' |
| ZT Block | ZT_BLOCK | eventCategory = 'SECURITY_DECISION' and decision = 'BLOCK' |
| ZT Escalate | ZT_ESCALATE | eventCategory = 'SECURITY_DECISION' and decision = 'ESCALATE' |
| After-hours Access | AFTER_HOURS | Events outside 09:00-18:00 or on weekends |
| AI Security Analysis | SECURITY_DECISION | eventCategory = 'SECURITY_DECISION' |
| Admin Override | ADMIN_OVERRIDE | eventCategory = 'ADMIN_OVERRIDE' |
| Distinct IPs | DISTINCT_IP | Distinct client IP grouping over the selected time window |
| Average Risk Score | HIGH_RISK | Current implementation drills into records where riskScore >= 0.4 |
| Security Errors | SECURITY_ERROR | eventCategory = 'SECURITY_ERROR' |
Dashboard
The Dashboard (/admin, /admin/, /admin/dashboard) provides a comprehensive security overview with data aggregated from audit_log over the last 24 hours.
Sections
- Policy Status: Total policies, active resources, and protection coverage
- Zero Trust Decisions: Donut chart with ALLOW/CHALLENGE/BLOCK/ESCALATE/DENY breakdown and drill-down cards for ALLOW/CHALLENGE/BLOCK/ESCALATE
- Authentication Stats: Semi-circle gauge showing success/failure ratio
- Security Indicators: Drill-down links for after-hours access, security decision events, admin overrides, distinct IPs, high-risk records, and security errors
- Threat Events: Recent high-risk events with direct links to Security Monitor detail
- Blocked Users: Recently blocked users by the Zero Trust engine
Access Center
Access: /admin/access-center
Unified interface for managing the entire identity chain (User -> Group -> Role -> Permission) in a single tabbed view. The current template exposes four tabs: Users, Groups, Roles, and Overview.
Users Tab
Search users and manage their group and direct-role assignments. User detail shows groups, direct roles, group-inherited roles, and effective permissions. When assigning direct roles, the current client can also persist CRUD subsets per role through UserRolePermission.
| Endpoint | Method | Description |
|---|---|---|
/admin/access-center/api/users | GET | Search users by keyword |
/admin/access-center/api/users/{userId}/detail | GET | User detail with groups, direct roles, group roles, and effective permissions |
/admin/access-center/api/users/{userId}/groups | POST | Update user group assignments |
/admin/access-center/api/users/{userId}/roles | POST | Update direct role assignments and their CRUD subsets |
Groups Tab
View all groups with assigned roles and current members. Group-role mappings are updated here, and the current client can also persist CRUD subsets per group-role pair through GroupRolePermission.
| Endpoint | Method | Description |
|---|---|---|
/admin/access-center/api/groups | GET | List all groups |
/admin/access-center/api/groups/{groupId}/detail | GET | Group detail with roles and members |
/admin/access-center/api/groups/{groupId}/roles | POST | Update group role assignments and their CRUD subsets |
Roles Tab
View all roles with their permissions and directly assigned users. This tab updates the permission set of a role.
| Endpoint | Method | Description |
|---|---|---|
/admin/access-center/api/roles | GET | List all roles |
/admin/access-center/api/roles/{roleId}/detail | GET | Role detail with permissions and directly assigned users |
/admin/access-center/api/roles/{roleId}/permissions | POST | Update role permission assignments |
Overview Tab
The Overview tab shows current counts for users, groups, roles, and permissions, plus a summary diagram explaining the User -> Group -> Role -> Permission structure.
Identity Management
Standard CRUD operations for Users (/admin/users), Groups (/admin/groups), Roles (/admin/roles), and Permissions (/admin/permissions).
The access chain is User -> Group -> Role -> Permission. Users inherit permissions through group membership and direct role assignment.
Role Hierarchies
Access: /admin/role-hierarchies
Parent roles automatically inherit all permissions from child roles. The hierarchy is resolved by Spring Security's RoleHierarchy and considered during CustomDynamicAuthorizationManager runtime evaluation.
Password Policy
Access: /admin/password-policy
Configures password rules used during registration and password change flows.
System Settings
Access: /admin/system-settings
System-wide IAM settings exposed in the OSS admin surface.
Menu Management
Access: /admin/menu-management
Administrative menu tree management for the current admin navigation structure.
Zero Trust Operations
Security Monitor
Access: /admin/security-monitor
Real-time audit log viewer with time-range filters (1h/6h/24h/3d), category filters (AI Analysis, Auth Failure, Admin Override), and DB-level pagination for millions of records.
Blocked Users
Access: /admin/blacklist
Manages users blocked by the Zero Trust engine. Supports filtering by status (BLOCKED, UNBLOCK_REQUESTED, RESOLVED, TIMEOUT_RESPONDED) and resolution workflows by administrators.
Security Management
IP Management
Access: /admin/ip-management
Manage IP-based access rules with ALLOW/DENY types. Supports IPv4/IPv6 addresses and CIDR notation. Rules can have optional expiration dates and can be toggled on/off. Export rules to CSV.
Session Management
Access: /admin/session-management
Monitor active user sessions with pagination and search. Displays session ID, username, client IP, user agent, login time, and last activity. Supports forced session invalidation (single session or all sessions for a user). Export sessions to CSV.
Password Policy
Access: /admin/password-policy
Configure password policy rules: minimum/maximum length, uppercase requirement, lowercase requirement, digit requirement, and special character requirement. Policy rules are enforced during user registration and password changes.
AI Policy Generation
The AI policy generation system uses SSE streaming to create policies from natural language requirements.
API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/admin/api/ai/policies/generate/stream | POST | SSE streaming policy generation from natural language |
/admin/api/ai/policies/generate | POST | Synchronous policy generation |
/admin/api/policies/build-from-business-rule | POST | Save generated policy to database |
How It Works
- User enters a natural language requirement (e.g., "Allow developers to access /api/** during business hours")
AdvancedPolicyGenerationLabenriches the request with all available roles, permissions, and conditions from the databasePolicyGenerationContextRetrieversearches vector DB for similar policy patterns (RAG)- AI generates a
PolicyResponsewith roleIds, permissionIds, conditions, and ID-to-name mappings - Frontend validates the response against available items and renders a preview
- User confirms and saves --
BusinessPolicyServicecreates Policy + PolicyTarget + PolicyRule + PolicyCondition entities CustomDynamicAuthorizationManagerreloads and the policy takes effect immediately
Admin Console Architecture
The current OSS admin surface combines navigation groups and operational areas. The boxes below reflect the current menu tree and the major integrated workspaces.
Getting Started
A complete walkthrough from deployment to fully dynamic authorization:
| Step | Action | Details |
|---|---|---|
| 1 | Deploy your application | Resource Scanner automatically discovers all endpoints |
| 2 | Open Policy Center (Create tab / integrated resources area) | Review discovered resources with inline editing |
| 3 | Define permissions | Click "Create Permission & Policy" for resources that need authorization |
| 4 | Create policies | Use Quick Mode (role-permission mapping), Manual Mode (Target/Rule/Condition), or AI Mode (natural language) |
| 5 | Verify | Policy takes effect immediately via hot-reload. Test with different user roles. |
| 6 | Monitor | Use Dashboard and Security Monitor for real-time security visibility |
Configuration Properties
contexa:
iam:
admin:
rest-docs-path: /docs/index.html # Path to REST API documentation