HI, On Fri, Sep 1, 2017 at 12:55 AM, Johann Nallathamby <joh...@wso2.com> wrote:
> IAM Team, > > Currently we don't have a exclusive permission to login to the user > portal; we use "/permission/admin/login". I think we need to have a > dedicated permission for that. Why? > > 1. No way to allow users to login to user portal but restrict users from > logging in to management console. > > 2. We could give this new permission to "INTERNAL/everyone" role. So that > any new users added to the system, via admin console, SCIM, Self sign-up or > JIT provisioning, will be able to login to the user portal. If we don't > want that we can simply take off that permission from the > "INTERNAL/everyone" role. > > I could think of further improving 2 above, by having separate roles for > each of the following scenarios. > a) Admin created users (Resident SP) - one role for all > b) JIT provisioned users - one role per IdP > c) Self signup users - we already have "selfsignup" role from IS 5.3.0 > onwards. > d) External service provider created users via SCIM - one role per SP > All the above roles can have the new permission, and selectively taken off > if not needed. In addition we can use these roles to manage permissions for > these well known groups of users who came from the same source. > > I stumbled upon this issue when I was trying to do "Email verification and > password request" scenario. Once I click the link in the email that was > sent to my inbox, and confirm, and update my new password and confirm it, I > was sent to the user portal to login. But since I didn't have the required > authorization setup I failed to login. Bit of a bad user experience there. > > Shall we try to introduce a new permission for user portal and give it by > default to "INTERNAL/everyone" for IS 5.4.0? > -1 for giving permission to "INTERNAL/everyone" INTERNAL/everyone is a virtual Role that used to represent all users. for example all the federated users also considered as users in INTERNAL/everyone Role. But agree with johan for having different permission for dashboard login. And better if system admin do it manually. And there is another concern with the permission, from the dashboard we are invoking several admin services so those services also should work with this new permission. Thanks, Ishara > Thanks & Regards, > Johann. > > -- > > *Johann Dilantha Nallathamby* > Senior Lead Solutions Engineer > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
