Hi all, Thank you for your suggestions
I have a few concerns regarding validating the subscriber permissions of > the input application owner using the default subscriber role(Internal > subscriber). Since the REST API and portal access are based on the > scope-role mapping which is maintained in tenant-conf.json, a subscriber > user does not necessarily have the *Internal/subscriber* role. If a new > role mapping to app management, subscriptions related scopes has been > introduced with custom roles, then the validation should be done against > those roles as well. > I agree with you. For previous versions, we have a default subscriber role in the configuration file and checked role-based permission for a particular feature. From 3.1.0 onwards, we have a scope-role mapping. In this case, we cannot validate the user role. Hence, we should be validating whether any of the roles assigned to that > particular user has bare scope based minimum access to API subscriptions, > app management resources. So the validation should be based on the > role-scope mapping. > > ie: If the user's role 'roleA' has role-scope mappings for 'apim:subscribe' > and 'apim:app_manage' scopes, then that particular user is eligible as a > new owner of a given application. > WDYT? > Yes, we need to validate against the scope. Thanks & Regards, *S.Meruja* |Software Engineer | WSO2 Inc. (m) +94779650506 | Email: [email protected] Linkedin: https://www.linkedin.com/in/meruja <https://www.google.com/url?q=https://www.linkedin.com/in/meruja> Medium: https://medium.com/@meruja <http://wso2.com/signature> _______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
