Re: [db-wg] NWI-8 LIR´s SSO Authentication Groups

Mon, 15 Apr 2019 07:07:22 -0700 

On 15/04/2019 13:31, ripedenis--- via db-wg wrote:
I have recently encountered issues in this area as well.  I would like to see the standard "non-billing" users to not only be allowed for the main resources but also for all sub-groups that appear under the LIR.  Currently, a user added as a regular LIR user does *not *have access to all RIPE NCC services: 

Currently in the LIR there are 3 level of users:

- Admin - The Administrator will have full access to RIPE NCC services 
plus the right to manage other LIR contacts

o Regular - The Operator will have full access to RIPE NCC services

o Billing - The Billing user will have access to RIPE NCC billing 
information only



Only by adding that user as SSO under the mnt-ner will the user have 
access to all LIR sub-groups.



Also, now that RPKI is picking up steam, I would like to see an 
additional level of user known as RPKI - which means the user can have 
access to all RIPE NCC RPKI services, including creating ROAs and 
anything else related to RPKI.


Regards,
Hank

Colleagues

I think we have now agreed on these problem and solution definitions:

Problem Definition


LIRs would like a mechanism to easily add/remove users to centralised 
SSO authentication groups for maintaining objects in the RIPE Database.



Solution Definition

Stage 1


-Non billing Users listed in an LIR´s portal account will be contained 
in a default authentication group



-Non billing users added or removed through the portal UI will be 
automatically adjusted in this group



-This authentication group can be referenced in MNTNER objects by a 
new authentication method



-These authentication groups for LIRs will be stored in a way that 
updates to the RIPE Database is not dependent on the availability of 
the portal service



Stage 2


-Non billing Users listed in an LIR´s portal account can be added to 
and removed from user defined SSO authentication groups


-Each User can be a member of any number of named groups

-The authentication groups can be configured using the portal UI


-These groups can be referenced in MNTNER objects by the new 
authentication method




The chairs will now ask the RIPE NCC to work from these definitions in 
preparing their implementation plan.


cheers
denis

co-chair DB-WG

























					Reply via email to