I think this is a good idea as it accomplish the original goal and does not make the DB depend on the LIR portal.
- Cynthia On Fri, May 17, 2019, 10:33 Edward Shryane via db-wg <[email protected]> wrote: > Dear working group, > > here is the RIPE NCC's proposed implementation plan for NWI-8: LIR's SSO > Authentication Groups. > > Scope > > - To simplify the implementation, synchronisation will be done using the > existing SSO authentication method. > - Authentication groups (and any new authentication method) will be > deferred until later. > > Introduction > > - The synchronisation of non-billing users with the RIPE database will be > done with a default maintainer. > - Setting a default maintainer for the organisation is a pre-requisite for > synchronisation. > - A default maintainer is already able to maintain the organisation object > and top-level resources. > - Extending this existing mechanism simplifies the synchronisation of > users. > > Implementation > > - A new checkbox will be added to the Account Details page in the LIR > Portal, in the Maintainer section. > - "Synchronise non-billing users with the default maintainer". > - If no default maintainer is set, the checkbox is disabled. > - The synchronise checkbox is not checked by default (the user must > confirm this action first). > - When the user enables the synchronise checkbox, they must first > authenticate with the default maintainer. > - The user must prove they control the maintainer before user > accounts are added to it. > - If the user's account is already present on the maintainer, this > authentication is automatic. > - Otherwise if the maintainer contains any password credentials, > the user will be asked for a password. > - Otherwise the user is asked to first add their credentials to > the maintainer separately. > - Once the checkbox is enabled, synchronisation is performed. > - Any existing user accounts are removed from the maintainer. > - Any non-billing user accounts are added to the maintainer. > - Any other credentials (passwords or PGP keys) are not affected. > - After synchronisation is enabled > - Whenever a non-billing user is added or removed from the > organisation, the default maintainer is updated accordingly. > - A default maintainer can only be synchronised with a single organisation. > - If a user is removed from one organisation, but remains in a > different organisation, this would create a conflict when synchronising. > - If synchronisation is disabled > - Users are no longer synchronised with the default maintainer, > but existing user accounts are not removed. > - Notifications > - To receive email notifications when the default maintainer is > updated, use the notify: and/or mnt-nfy: attribute(s) on the maintainer > itself. > > > Regards > Ed Shryane > RIPE NCC > > > > > > >
