Hi Supun, On Fri, May 8, 2015 at 10:48 AM, Supun Nakandala <[email protected]> wrote:
> Hi Suresh, > > I understand the requirement. But according my knowledge on IS there are > certain issues (Hasini can correct me). Consider the following usecases > > 1. New user comes to PGA and tries to create a new user account - In this > case we have invoke RemoteUserStoreManager service and that has to be done > by including tenant admin's credentials. Basically this API method can only > be invoked by admin. > There is a self-registration feature provided by IS which doesn't need admin credentials to create user accounts when the users self register. > > 2. Current user tries to update his profile - Same argument as above > Same as above, there is a feature in IS which allows user to update some of the information in his/her own profile. I can not tell the service names and method names off the top of my head, but you can find them out by trying out those features through IS. > > 3. Current user login to the system and we need to get the user's roles to > find out what capabilities the user has - For this user authentication can > be done via AuthenticationAdmin without the admin credentials but to fetch > the user roles we need to invoke RemoteUserStoreManager service which again > needs admin credentials. > Yes, fetching user's roles is an admin-only function, as far as I know. Thanks, Hasini. > > According to what I found the API methods exposed by the IS are all Admin > Services and they are designed to be invoked only by the Admin. > > So given the above three use cases I think it is not possible to > completely remove admin rights from the PGA. > > > I don't know whether it is possible to grant fine grained API level access > to user roles. If that is possible we can create a new role 'portal_admin' > and grant access only to the service methods required by the web portal. > > On Fri, May 8, 2015 at 7:49 PM, Suresh Marru <[email protected]> wrote: > >> On May 8, 2015, at 8:39 AM, Supun Nakandala <[email protected]> >> wrote: >> >> >> Hi Hasini, >> >> The requirement was to remove admin credentials from the config files for >> security reasons and call the admin services only when the admin user login. >> >> Hi Supun, >> >> To clarify the use case: >> >> If a user (with non-admin role) logs in, then they should only be allowed >> to perform actions which are allowable by regular users. >> If a admin logs in, they should be do all admin actions, including >> fetching user roles and so forth. >> >> Currently, since we have admin credentials in config files, it allows the >> portal to do all admin actions as well. Ofcourse we can restrict that well >> at the application layer, but its a security hole. I think we should defer >> the authorization to the identity server. >> >> Does this make sense? Are you seeing it differently, or do you have a >> different scenario in mind? >> >> Suresh >> >> Perhaps Suresh can provide more insight on the requirement. >> On May 8, 2015 9:29 AM, "Hasini Gunasinghe" <[email protected]> wrote: >> >>> Hi Supun, >>> >>> Please find the answers inline. >>> >>> On Wed, May 6, 2015 at 1:34 PM, Supun Nakandala < >>> [email protected]> wrote: >>> >>>> Hi All, >>>> >>>> I was looking into the $subject and found some blockers. >>>> >>>> Authenticating a user can be done using AuthenticationAdmin service in >>>> IS without requiring the tenant admin's credentials. >>>> >>>> But in order to fetch the roles of the user (we need them in PGA) or >>>> create a new user account or update current user's information we have to >>>> invoke RemoteUserStroreManager service and according to what I found this >>>> can only be invoked providing tenant admin's credentials. >>>> >>>> This is the expected behavior. You need to authenticate with the >>> tenant admin's credentials, in order to invoke such functions. What is your >>> issue? >>> >>> Thanks, >>> Hasini. >>> >> >> > > > -- > Thank you > Supun Nakandala > Dept. Computer Science and Engineering > University of Moratuwa >
