Hi Related to interacting with gadgets in dashboard app, I have evaluated the operation level permissions required for logged in users in order to work with gadgets properly. I have summarized services used, operations and permissions required in [1]
Some of the service operations required advanced permissions than */permission/admin/login*, which is the only permission assigned for self-signed up users. Therefore self-signed users are unable to properly interact with following gadgets, - Account Recovery - My Profile - Associated Accounts - Authorized Apps By looking at the given information in [1] (marked in red), will it be OK to change those permissions to */permission/admin/login, * and which permissions should we keep as it is and assign to selfsignup role. [1] https://docs.google.com/a/wso2.com/spreadsheets/d/1DH8OWQ_VdA2xgPSjV-uEpj4tWpLDBxqQY2EO-xLL8T4/edit?usp=sharing Thanks! -Ayesha On Thu, Oct 27, 2016 at 10:36 PM, Isura Karunaratne <[email protected]> wrote: > login permission is required for following gadgets > > - Update user profile : It uses UserProfileMgtService > - Setting security questions : It uses UserIdentityManagementAdminSer > vice > - Change password : It uses UserIdentityManagementAdminService > - Account association > - Authorized Apps > - Pending approvals (This is required some additional permission too) > > As you mentioned, we can remove authorization check in most of these > gadgets. > > so, +1 to remove the login permission requirement from user portal. I > will be good for user experience. > > > Thanks > Isura. > > > *Isura Dilhara Karunaratne* > Senior Software Engineer | WSO2 > Email: [email protected] > Mob : +94 772 254 810 > Blog : http://isurad.blogspot.com/ > > > > > On Thu, Oct 27, 2016 at 10:30 AM, Johann Nallathamby <[email protected]> > wrote: > >> Hi Isura, >> >> Why do we need "login" permission for user portal? Only workflow >> approvals and user session termination we need some specific >> permissions. Shall we remove the requirement to have "login" permission to >> login to the user portal? I guess removing it from the portal might not be >> enough. Services such as user profile, account association, authorized apps >> also may need to be modified to check only for authentication. >> >> Wdyt? >> >> On Thu, Oct 27, 2016 at 8:50 PM, Ayesha Dissanayaka <[email protected]> >> wrote: >> >>> >>> On Thu, Oct 27, 2016 at 6:56 PM, Johann Nallathamby <[email protected]> >>> wrote: >>> >>>> Why do we need to have login permission for "selfsignup" role. We don't >>>> need to. "login" permission is to login to management console. We don't >>>> expect self signup users to login to management console. They can only >>>> login to dashboard, and for that we should not need "login" permission. Can >>>> you check if dashboard functions without "login" permission. >>> >>> >>> I tested removing 'login' permission from the "selfsignup" role and user >>> is unable to login to dashboard app without 'login' permission. >>> >>> With below logs in console, >>> [2016-10-27 20:47:17,346] ERROR {org.wso2.carbon.identity.auth >>> enticator.saml2.sso.SAML2SSOAuthenticator} - Authentication Request is >>> rejected. Authorization Failure. >>> [2016-10-27 20:47:17,347] WARN {org.wso2.carbon.core.services >>> .util.CarbonAuthenticationUtil} - Failed Administrator login attempt >>> 'Ayesha[-1234]' at [2016-10-27 20:47:17,347+0530] >>> >>> >>> >>> -- >>> *Ayesha Dissanayaka* >>> Software Engineer, >>> WSO2, Inc : http://wso2.com >>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> >>> 20, Palmgrove Avenue, Colombo 3 >>> E-Mail: [email protected] <[email protected]> >>> >> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > -- *Ayesha Dissanayaka* Software Engineer, WSO2, Inc : http://wso2.com <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> 20, Palmgrove Avenue, Colombo 3 E-Mail: [email protected] <[email protected]>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
