Hi,

After evaluating the permissions and internal discussions with identity
team, it is decided that self sign up users should be able to perform
actions related to users own account using mentioned gadgets.

Hence, permissions are set to */permission/admin/login *for the relevant
operations and in the code level users with minimum permission can only
access those operations against his own account. For admin users, higher
permission is required in order to perform operations on behalf of another
user.

Thanks!
-Ayesha


On Tue, Nov 29, 2016 at 7:58 PM, Ayesha Dissanayaka <aye...@wso2.com> wrote:

> Hi
>
> Related to  interacting with gadgets in dashboard app, I have evaluated
> the operation level permissions required for logged in users in order to
> work with gadgets properly. I have summarized services used, operations and
> permissions required in [1]
>
> Some of the service operations required advanced permissions than
> */permission/admin/login*, which is the only permission assigned for
> self-signed up users.
> Therefore self-signed users are unable to properly interact with following
> gadgets,
>
>    - Account Recovery
>    - My Profile
>    - Associated Accounts
>    - Authorized Apps
>
> By looking at the given information in [1] (marked in red), will it be OK
> to change those permissions to */permission/admin/login, * and which
> permissions should we keep as it is and assign to selfsignup role.
>
> [1] https://docs.google.com/a/wso2.com/spreadsheets/d/1DH8OWQ_VdA2xgPSjV-
> uEpj4tWpLDBxqQY2EO-xLL8T4/edit?usp=sharing
>
> Thanks!
> -Ayesha
>
> On Thu, Oct 27, 2016 at 10:36 PM, Isura Karunaratne <is...@wso2.com>
> wrote:
>
>>  login permission is required for following gadgets
>>
>>    - Update user profile : It uses UserProfileMgtService
>>    - Setting security questions : It uses UserIdentityManagementAdminSer
>>    vice
>>    - Change password :  It uses UserIdentityManagementAdminService
>>    - Account association
>>    - Authorized Apps
>>    - Pending approvals (This is required some additional permission too)
>>
>> As you mentioned, we can remove authorization check in most of these
>> gadgets.
>>
>> so, +1 to remove the login permission requirement from user portal. I
>> will be good for user experience.
>>
>>
>> Thanks
>> Isura.
>>
>>
>> *Isura Dilhara Karunaratne*
>> Senior Software Engineer | WSO2
>> Email: is...@wso2.com
>> Mob : +94 772 254 810
>> Blog : http://isurad.blogspot.com/
>>
>>
>>
>>
>> On Thu, Oct 27, 2016 at 10:30 AM, Johann Nallathamby <joh...@wso2.com>
>> wrote:
>>
>>> Hi Isura,
>>>
>>> Why do we need "login" permission for user portal? Only workflow
>>> approvals and user session termination we need some specific
>>> permissions. Shall we remove the requirement to have "login" permission to
>>> login to the user portal? I guess removing it from the portal might not be
>>> enough. Services such as user profile, account association, authorized apps
>>> also may need to be modified to check only for authentication.
>>>
>>> Wdyt?
>>>
>>> On Thu, Oct 27, 2016 at 8:50 PM, Ayesha Dissanayaka <aye...@wso2.com>
>>> wrote:
>>>
>>>>
>>>> On Thu, Oct 27, 2016 at 6:56 PM, Johann Nallathamby <joh...@wso2.com>
>>>> wrote:
>>>>
>>>>> Why do we need to have login permission for "selfsignup" role. We
>>>>> don't need to. "login" permission is to login to management console. We
>>>>> don't expect self signup users to login to management console. They can
>>>>> only login to dashboard, and for that we should not need "login"
>>>>> permission. Can you check if dashboard functions without "login" 
>>>>> permission.
>>>>
>>>>
>>>> I tested removing 'login' permission from the "selfsignup" role and
>>>> user is unable to login to dashboard app without 'login' permission.
>>>>
>>>> With below logs in console,
>>>> [2016-10-27 20:47:17,346] ERROR {org.wso2.carbon.identity.auth
>>>> enticator.saml2.sso.SAML2SSOAuthenticator} -  Authentication Request
>>>> is rejected. Authorization Failure.
>>>> [2016-10-27 20:47:17,347]  WARN {org.wso2.carbon.core.services
>>>> .util.CarbonAuthenticationUtil} -  Failed Administrator login attempt
>>>> 'Ayesha[-1234]' at [2016-10-27 20:47:17,347+0530]
>>>>
>>>>
>>>>
>>>> --
>>>> *Ayesha Dissanayaka*
>>>> Software Engineer,
>>>> WSO2, Inc : http://wso2.com
>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
>>>> 20, Palmgrove Avenue, Colombo 3
>>>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com>
>>>>
>>>
>>>
>>>
>>> --
>>> Thanks & Regards,
>>>
>>> *Johann Dilantha Nallathamby*
>>> Technical Lead & Product Lead of WSO2 Identity Server
>>> Governance Technologies Team
>>> WSO2, Inc.
>>> lean.enterprise.middleware
>>>
>>> Mobile - *+94777776950*
>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>>>
>>
>>
>
>
> --
> *Ayesha Dissanayaka*
> Software Engineer,
> WSO2, Inc : http://wso2.com
> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
> 20, Palmgrove Avenue, Colombo 3
> E-Mail: aye...@wso2.com <ayshsa...@gmail.com>
>



-- 
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com
<http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
20, Palmgrove Avenue, Colombo 3
E-Mail: aye...@wso2.com <ayshsa...@gmail.com>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to