subject:"\[Architecture\] Clearly defining what operations users can perform on a shared application in APIM"

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

2018-02-13 Thread Uvindra Dias Jayasinha

On 13 February 2018 at 18:02, Chamin Dias  wrote:

> Hi,
>
> Can we promote a "shared user" to "admin shared user" (and vise versa)? Is
> it supported in this feature?
>
> Thanks.
>
>
 @Chamin, there is no such thing as an admin shrared user. We do have a
facility of changing the owner of an application though[1]

[1] https://docs.wso2.com/display/AM2xx/apidocs/admin/#!
/operations#Application#applicationsApplicationIdChangeOwnerPost


>
> On Tue, Feb 13, 2018 at 3:51 PM, Harsha Kumara  wrote:
>
>> @Sanjeewa, Uvindra can we actually prevent it? Basically we can hide it
>> from UI. But since he know the consumer key and secret, he can simply
>> revoke and regenerate the token.
>>
>> On Thu, Feb 8, 2018 at 2:57 PM, Uvindra Dias Jayasinha 
>> wrote:
>>
>>> Yes we can safely prevent shared users from regenerating access tokens
>>> of Apps that they are not owners of. This ideally shouldnt be an issue
>>> since Apps should have provision to regenerate a token if required.
>>>
>>> On 8 February 2018 at 14:23, Sanjeewa Malalgoda 
>>> wrote:
>>>
 Can shared users generate keys for the application? After first time if
 one user regenerate application access key then it will effect others as we
 revoke and generate application token.
 I think regenerate option and application access token visibility also
 should remove for above shared users. I think generate token with resource
 owner grant by non app owner may cause issues.

 Thanks,
 sanjeewa.

 On Wed, Feb 7, 2018 at 11:57 AM, Uvindra Dias Jayasinha <
 uvin...@wso2.com> wrote:

> +1 Agreed with Nuwan about how subscriptions should be handled
>
>
> Regarding the behavior of the Admin shared user, seems this is not
> required because we already have an Admin REST API to change Application
> ownership available in 2.2.0[1] as discussed in the mail thread[2]. This
> addresses the requirement of what would happen if an App owner leaves the
> organization. So we will only address the App Owner and Shared User
> experience.
>
> [1]https://docs.wso2.com/display/AM2xx/apidocs/admin/#!/oper
> ations#Application#applicationsApplicationIdChangeOwnerPost
> [2][C4[]APIM] REST API for changing Owner of a Application
>
> On 7 February 2018 at 11:18, Nuwan Dias  wrote:
>
>>
>>
>> On Wed, Feb 7, 2018 at 11:14 AM, Uvindra Dias Jayasinha <
>> uvin...@wso2.com> wrote:
>>
>>> Hi All,
>>>
>>> It seems that currently we do not have a clear definition in
>>> regarding what users can do with shared applications. This has been
>>> highlighted in[1] and the plan is to address this as part of the APIM 
>>> 2.2.0
>>> release.
>>>
>>> There are two types of users, the *App owner* who creates the App
>>> and the *shared user* who is able to view the App that is shared
>>> with them by the App owner.
>>>
>>> *Current issues*
>>> 1. Product allows shared users to attempt updating Apps that are not
>>> owned by them, which leads to errors because they do not have the 
>>> required
>>> permissions.
>>>
>>> 2. Product allows shared users to delete Apps that are not owned by
>>> them which violate the Application ownership concept.
>>>
>>> The plan to address this is as follows
>>>
>>> *Solution*
>>> 1. *App Owner *: Has ability to delete/update Apps owned by them.
>>>
>>> 2. *Shared user*: Has only Read only access to Apps shared with
>>> them(cannot delete/update).
>>> Deletion and updation of Apps will be restricted at API Store UI
>>> level. App ownership will be   checked before performing App 
>>> update/delete
>>> from server side in  order to   enforce this for REST API calls
>>>
>>
>> Shared user needs to view, remove and add subscriptions too IMO.
>>
>>>
>>> 3 *Admin shared user* : Has ability to delete/update Apps shared
>>> with them. The reason for this is to address practical issues that take
>>> place when the App owner leaves an organization and there needs to be 
>>> some
>>> way to delete/update such an Application.
>>>
>>
>> +1
>>
>>>
>>>
>>> Please give your feedback on the above.
>>>
>>>
>>> [1] https://github.com/wso2/product-apim/issues/2690
>>> --
>>> Regards,
>>> Uvindra
>>>
>>> Mobile: 33962
>>>
>>
>>
>>
>> --
>> Nuwan Dias
>>
>> Software Architect - WSO2, Inc. http://wso2.com
>> email : nuw...@wso2.com
>> Phone : +94 777 775 729 <+94%2077%20777%205729>
>>
>
>
>
> --
> Regards,
> Uvindra
>
> Mobile: 33962
>



 --

 *Sanjeewa Malalgoda*
 WSO2 Inc.
 Mobile : +94713068779 <+94%2071%20306%208779>

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

2018-02-13 Thread Uvindra Dias Jayasinha

@Harsha, yes there is no way to truly prevent shared users from invoking
the token endpoint and there by revoking the access token. But as discussed
since tokens are not hard coded in applicaitions this is not a concern.
Apps should be continuously refreshing their token from time to time

On 13 February 2018 at 15:51, Harsha Kumara  wrote:

> @Sanjeewa, Uvindra can we actually prevent it? Basically we can hide it
> from UI. But since he know the consumer key and secret, he can simply
> revoke and regenerate the token.
>
> On Thu, Feb 8, 2018 at 2:57 PM, Uvindra Dias Jayasinha 
> wrote:
>
>> Yes we can safely prevent shared users from regenerating access tokens of
>> Apps that they are not owners of. This ideally shouldnt be an issue since
>> Apps should have provision to regenerate a token if required.
>>
>> On 8 February 2018 at 14:23, Sanjeewa Malalgoda 
>> wrote:
>>
>>> Can shared users generate keys for the application? After first time if
>>> one user regenerate application access key then it will effect others as we
>>> revoke and generate application token.
>>> I think regenerate option and application access token visibility also
>>> should remove for above shared users. I think generate token with resource
>>> owner grant by non app owner may cause issues.
>>>
>>> Thanks,
>>> sanjeewa.
>>>
>>> On Wed, Feb 7, 2018 at 11:57 AM, Uvindra Dias Jayasinha <
>>> uvin...@wso2.com> wrote:
>>>
 +1 Agreed with Nuwan about how subscriptions should be handled


 Regarding the behavior of the Admin shared user, seems this is not
 required because we already have an Admin REST API to change Application
 ownership available in 2.2.0[1] as discussed in the mail thread[2]. This
 addresses the requirement of what would happen if an App owner leaves the
 organization. So we will only address the App Owner and Shared User
 experience.

 [1]https://docs.wso2.com/display/AM2xx/apidocs/admin/#!/oper
 ations#Application#applicationsApplicationIdChangeOwnerPost
 [2][C4[]APIM] REST API for changing Owner of a Application

 On 7 February 2018 at 11:18, Nuwan Dias  wrote:

>
>
> On Wed, Feb 7, 2018 at 11:14 AM, Uvindra Dias Jayasinha <
> uvin...@wso2.com> wrote:
>
>> Hi All,
>>
>> It seems that currently we do not have a clear definition in
>> regarding what users can do with shared applications. This has been
>> highlighted in[1] and the plan is to address this as part of the APIM 
>> 2.2.0
>> release.
>>
>> There are two types of users, the *App owner* who creates the App
>> and the *shared user* who is able to view the App that is shared
>> with them by the App owner.
>>
>> *Current issues*
>> 1. Product allows shared users to attempt updating Apps that are not
>> owned by them, which leads to errors because they do not have the 
>> required
>> permissions.
>>
>> 2. Product allows shared users to delete Apps that are not owned by
>> them which violate the Application ownership concept.
>>
>> The plan to address this is as follows
>>
>> *Solution*
>> 1. *App Owner *: Has ability to delete/update Apps owned by them.
>>
>> 2. *Shared user*: Has only Read only access to Apps shared with
>> them(cannot delete/update).
>> Deletion and updation of Apps will be restricted at API Store UI
>> level. App ownership will be   checked before performing App 
>> update/delete
>> from server side in  order to   enforce this for REST API calls
>>
>
> Shared user needs to view, remove and add subscriptions too IMO.
>
>>
>> 3 *Admin shared user* : Has ability to delete/update Apps shared
>> with them. The reason for this is to address practical issues that take
>> place when the App owner leaves an organization and there needs to be 
>> some
>> way to delete/update such an Application.
>>
>
> +1
>
>>
>>
>> Please give your feedback on the above.
>>
>>
>> [1] https://github.com/wso2/product-apim/issues/2690
>> --
>> Regards,
>> Uvindra
>>
>> Mobile: 33962
>>
>
>
>
> --
> Nuwan Dias
>
> Software Architect - WSO2, Inc. http://wso2.com
> email : nuw...@wso2.com
> Phone : +94 777 775 729 <+94%2077%20777%205729>
>



 --
 Regards,
 Uvindra

 Mobile: 33962

>>>
>>>
>>>
>>> --
>>>
>>> *Sanjeewa Malalgoda*
>>> WSO2 Inc.
>>> Mobile : +94713068779 <+94%2071%20306%208779>
>>>
>>> blog
>>> :http://sanjeewamalalgoda.blogspot.com/
>>> 
>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Uvindra
>>
>> Mobile: 33962
>>
>
>
>
> --
> Harsha Kumara
> Software Engineer, WSO2 Inc.
> Mobile: +94775505618 <+94%2077%20550%205618>
>

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

2018-02-13 Thread Chamin Dias

Hi,

Can we promote a "shared user" to "admin shared user" (and vise versa)? Is
it supported in this feature?

Thanks.


On Tue, Feb 13, 2018 at 3:51 PM, Harsha Kumara  wrote:

> @Sanjeewa, Uvindra can we actually prevent it? Basically we can hide it
> from UI. But since he know the consumer key and secret, he can simply
> revoke and regenerate the token.
>
> On Thu, Feb 8, 2018 at 2:57 PM, Uvindra Dias Jayasinha 
> wrote:
>
>> Yes we can safely prevent shared users from regenerating access tokens of
>> Apps that they are not owners of. This ideally shouldnt be an issue since
>> Apps should have provision to regenerate a token if required.
>>
>> On 8 February 2018 at 14:23, Sanjeewa Malalgoda 
>> wrote:
>>
>>> Can shared users generate keys for the application? After first time if
>>> one user regenerate application access key then it will effect others as we
>>> revoke and generate application token.
>>> I think regenerate option and application access token visibility also
>>> should remove for above shared users. I think generate token with resource
>>> owner grant by non app owner may cause issues.
>>>
>>> Thanks,
>>> sanjeewa.
>>>
>>> On Wed, Feb 7, 2018 at 11:57 AM, Uvindra Dias Jayasinha <
>>> uvin...@wso2.com> wrote:
>>>
 +1 Agreed with Nuwan about how subscriptions should be handled


 Regarding the behavior of the Admin shared user, seems this is not
 required because we already have an Admin REST API to change Application
 ownership available in 2.2.0[1] as discussed in the mail thread[2]. This
 addresses the requirement of what would happen if an App owner leaves the
 organization. So we will only address the App Owner and Shared User
 experience.

 [1]https://docs.wso2.com/display/AM2xx/apidocs/admin/#!/oper
 ations#Application#applicationsApplicationIdChangeOwnerPost
 [2][C4[]APIM] REST API for changing Owner of a Application

 On 7 February 2018 at 11:18, Nuwan Dias  wrote:

>
>
> On Wed, Feb 7, 2018 at 11:14 AM, Uvindra Dias Jayasinha <
> uvin...@wso2.com> wrote:
>
>> Hi All,
>>
>> It seems that currently we do not have a clear definition in
>> regarding what users can do with shared applications. This has been
>> highlighted in[1] and the plan is to address this as part of the APIM 
>> 2.2.0
>> release.
>>
>> There are two types of users, the *App owner* who creates the App
>> and the *shared user* who is able to view the App that is shared
>> with them by the App owner.
>>
>> *Current issues*
>> 1. Product allows shared users to attempt updating Apps that are not
>> owned by them, which leads to errors because they do not have the 
>> required
>> permissions.
>>
>> 2. Product allows shared users to delete Apps that are not owned by
>> them which violate the Application ownership concept.
>>
>> The plan to address this is as follows
>>
>> *Solution*
>> 1. *App Owner *: Has ability to delete/update Apps owned by them.
>>
>> 2. *Shared user*: Has only Read only access to Apps shared with
>> them(cannot delete/update).
>> Deletion and updation of Apps will be restricted at API Store UI
>> level. App ownership will be   checked before performing App 
>> update/delete
>> from server side in  order to   enforce this for REST API calls
>>
>
> Shared user needs to view, remove and add subscriptions too IMO.
>
>>
>> 3 *Admin shared user* : Has ability to delete/update Apps shared
>> with them. The reason for this is to address practical issues that take
>> place when the App owner leaves an organization and there needs to be 
>> some
>> way to delete/update such an Application.
>>
>
> +1
>
>>
>>
>> Please give your feedback on the above.
>>
>>
>> [1] https://github.com/wso2/product-apim/issues/2690
>> --
>> Regards,
>> Uvindra
>>
>> Mobile: 33962
>>
>
>
>
> --
> Nuwan Dias
>
> Software Architect - WSO2, Inc. http://wso2.com
> email : nuw...@wso2.com
> Phone : +94 777 775 729 <+94%2077%20777%205729>
>



 --
 Regards,
 Uvindra

 Mobile: 33962

>>>
>>>
>>>
>>> --
>>>
>>> *Sanjeewa Malalgoda*
>>> WSO2 Inc.
>>> Mobile : +94713068779 <+94%2071%20306%208779>
>>>
>>> blog
>>> :http://sanjeewamalalgoda.blogspot.com/
>>> 
>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Uvindra
>>
>> Mobile: 33962
>>
>
>
>
> --
> Harsha Kumara
> Software Engineer, WSO2 Inc.
> Mobile: +94775505618 <+94%2077%20550%205618>
> Blog:harshcreationz.blogspot.com
>
> ___
> Architecture mailing list
> Architecture@wso2.org
>

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

2018-02-13 Thread Harsha Kumara

@Sanjeewa, Uvindra can we actually prevent it? Basically we can hide it
from UI. But since he know the consumer key and secret, he can simply
revoke and regenerate the token.

On Thu, Feb 8, 2018 at 2:57 PM, Uvindra Dias Jayasinha 
wrote:

> Yes we can safely prevent shared users from regenerating access tokens of
> Apps that they are not owners of. This ideally shouldnt be an issue since
> Apps should have provision to regenerate a token if required.
>
> On 8 February 2018 at 14:23, Sanjeewa Malalgoda  wrote:
>
>> Can shared users generate keys for the application? After first time if
>> one user regenerate application access key then it will effect others as we
>> revoke and generate application token.
>> I think regenerate option and application access token visibility also
>> should remove for above shared users. I think generate token with resource
>> owner grant by non app owner may cause issues.
>>
>> Thanks,
>> sanjeewa.
>>
>> On Wed, Feb 7, 2018 at 11:57 AM, Uvindra Dias Jayasinha > > wrote:
>>
>>> +1 Agreed with Nuwan about how subscriptions should be handled
>>>
>>>
>>> Regarding the behavior of the Admin shared user, seems this is not
>>> required because we already have an Admin REST API to change Application
>>> ownership available in 2.2.0[1] as discussed in the mail thread[2]. This
>>> addresses the requirement of what would happen if an App owner leaves the
>>> organization. So we will only address the App Owner and Shared User
>>> experience.
>>>
>>> [1]https://docs.wso2.com/display/AM2xx/apidocs/admin/#!/oper
>>> ations#Application#applicationsApplicationIdChangeOwnerPost
>>> [2][C4[]APIM] REST API for changing Owner of a Application
>>>
>>> On 7 February 2018 at 11:18, Nuwan Dias  wrote:
>>>


 On Wed, Feb 7, 2018 at 11:14 AM, Uvindra Dias Jayasinha <
 uvin...@wso2.com> wrote:

> Hi All,
>
> It seems that currently we do not have a clear definition in regarding
> what users can do with shared applications. This has been highlighted 
> in[1]
> and the plan is to address this as part of the APIM 2.2.0 release.
>
> There are two types of users, the *App owner* who creates the App and
> the *shared user* who is able to view the App that is shared with
> them by the App owner.
>
> *Current issues*
> 1. Product allows shared users to attempt updating Apps that are not
> owned by them, which leads to errors because they do not have the required
> permissions.
>
> 2. Product allows shared users to delete Apps that are not owned by
> them which violate the Application ownership concept.
>
> The plan to address this is as follows
>
> *Solution*
> 1. *App Owner *: Has ability to delete/update Apps owned by them.
>
> 2. *Shared user*: Has only Read only access to Apps shared with
> them(cannot delete/update).
> Deletion and updation of Apps will be restricted at API Store UI
> level. App ownership will be   checked before performing App update/delete
> from server side in  order to   enforce this for REST API calls
>

 Shared user needs to view, remove and add subscriptions too IMO.

>
> 3 *Admin shared user* : Has ability to delete/update Apps shared with
> them. The reason for this is to address practical issues that take place
> when the App owner leaves an organization and there needs to be some way 
> to
> delete/update such an Application.
>

 +1

>
>
> Please give your feedback on the above.
>
>
> [1] https://github.com/wso2/product-apim/issues/2690
> --
> Regards,
> Uvindra
>
> Mobile: 33962
>



 --
 Nuwan Dias

 Software Architect - WSO2, Inc. http://wso2.com
 email : nuw...@wso2.com
 Phone : +94 777 775 729 <+94%2077%20777%205729>

>>>
>>>
>>>
>>> --
>>> Regards,
>>> Uvindra
>>>
>>> Mobile: 33962
>>>
>>
>>
>>
>> --
>>
>> *Sanjeewa Malalgoda*
>> WSO2 Inc.
>> Mobile : +94713068779 <+94%2071%20306%208779>
>>
>> blog
>> :http://sanjeewamalalgoda.blogspot.com/
>> 
>>
>>
>>
>
>
> --
> Regards,
> Uvindra
>
> Mobile: 33962
>



-- 
Harsha Kumara
Software Engineer, WSO2 Inc.
Mobile: +94775505618
Blog:harshcreationz.blogspot.com
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

2018-02-08 Thread Uvindra Dias Jayasinha

Yes we can safely prevent shared users from regenerating access tokens of
Apps that they are not owners of. This ideally shouldnt be an issue since
Apps should have provision to regenerate a token if required.

On 8 February 2018 at 14:23, Sanjeewa Malalgoda  wrote:

> Can shared users generate keys for the application? After first time if
> one user regenerate application access key then it will effect others as we
> revoke and generate application token.
> I think regenerate option and application access token visibility also
> should remove for above shared users. I think generate token with resource
> owner grant by non app owner may cause issues.
>
> Thanks,
> sanjeewa.
>
> On Wed, Feb 7, 2018 at 11:57 AM, Uvindra Dias Jayasinha 
> wrote:
>
>> +1 Agreed with Nuwan about how subscriptions should be handled
>>
>>
>> Regarding the behavior of the Admin shared user, seems this is not
>> required because we already have an Admin REST API to change Application
>> ownership available in 2.2.0[1] as discussed in the mail thread[2]. This
>> addresses the requirement of what would happen if an App owner leaves the
>> organization. So we will only address the App Owner and Shared User
>> experience.
>>
>> [1]https://docs.wso2.com/display/AM2xx/apidocs/admin/#!/
>> operations#Application#applicationsApplicationIdChangeOwnerPost
>> [2][C4[]APIM] REST API for changing Owner of a Application
>>
>> On 7 February 2018 at 11:18, Nuwan Dias  wrote:
>>
>>>
>>>
>>> On Wed, Feb 7, 2018 at 11:14 AM, Uvindra Dias Jayasinha <
>>> uvin...@wso2.com> wrote:
>>>
 Hi All,

 It seems that currently we do not have a clear definition in regarding
 what users can do with shared applications. This has been highlighted in[1]
 and the plan is to address this as part of the APIM 2.2.0 release.

 There are two types of users, the *App owner* who creates the App and
 the *shared user* who is able to view the App that is shared with them
 by the App owner.

 *Current issues*
 1. Product allows shared users to attempt updating Apps that are not
 owned by them, which leads to errors because they do not have the required
 permissions.

 2. Product allows shared users to delete Apps that are not owned by
 them which violate the Application ownership concept.

 The plan to address this is as follows

 *Solution*
 1. *App Owner *: Has ability to delete/update Apps owned by them.

 2. *Shared user*: Has only Read only access to Apps shared with
 them(cannot delete/update).
 Deletion and updation of Apps will be restricted at API Store UI level.
 App ownership will be   checked before performing App update/delete from
 server side in  order to   enforce this for REST API calls

>>>
>>> Shared user needs to view, remove and add subscriptions too IMO.
>>>

 3 *Admin shared user* : Has ability to delete/update Apps shared with
 them. The reason for this is to address practical issues that take place
 when the App owner leaves an organization and there needs to be some way to
 delete/update such an Application.

>>>
>>> +1
>>>

 Please give your feedback on the above.

 [1] https://github.com/wso2/product-apim/issues/2690
 --
 Regards,
 Uvindra

 Mobile: 33962

>>>
>>>
>>>
>>> --
>>> Nuwan Dias
>>>
>>> Software Architect - WSO2, Inc. http://wso2.com
>>> email : nuw...@wso2.com
>>> Phone : +94 777 775 729 <+94%2077%20777%205729>
>>>
>>
>>
>>
>> --
>> Regards,
>> Uvindra
>>
>> Mobile: 33962
>>
>
>
>
> --
>
> *Sanjeewa Malalgoda*
> WSO2 Inc.
> Mobile : +94713068779 <+94%2071%20306%208779>
>
> blog :http://sanjeewamalalgoda.
> blogspot.com/ 
>
>
>

-- 
Regards,
Uvindra

Mobile: 33962
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

2018-02-08 Thread Sanjeewa Malalgoda

Can shared users generate keys for the application? After first time if one
user regenerate application access key then it will effect others as we
revoke and generate application token.
I think regenerate option and application access token visibility also
should remove for above shared users. I think generate token with resource
owner grant by non app owner may cause issues.

Thanks,
sanjeewa.

On Wed, Feb 7, 2018 at 11:57 AM, Uvindra Dias Jayasinha 
wrote:

> +1 Agreed with Nuwan about how subscriptions should be handled
>
>
> Regarding the behavior of the Admin shared user, seems this is not
> required because we already have an Admin REST API to change Application
> ownership available in 2.2.0[1] as discussed in the mail thread[2]. This
> addresses the requirement of what would happen if an App owner leaves the
> organization. So we will only address the App Owner and Shared User
> experience.
>
> [1]https://docs.wso2.com/display/AM2xx/apidocs/admin/#!
> /operations#Application#applicationsApplicationIdChangeOwnerPost
> [2][C4[]APIM] REST API for changing Owner of a Application
>
> On 7 February 2018 at 11:18, Nuwan Dias  wrote:
>
>>
>>
>> On Wed, Feb 7, 2018 at 11:14 AM, Uvindra Dias Jayasinha > > wrote:
>>
>>> Hi All,
>>>
>>> It seems that currently we do not have a clear definition in regarding
>>> what users can do with shared applications. This has been highlighted in[1]
>>> and the plan is to address this as part of the APIM 2.2.0 release.
>>>
>>> There are two types of users, the *App owner* who creates the App and
>>> the *shared user* who is able to view the App that is shared with them
>>> by the App owner.
>>>
>>> *Current issues*
>>> 1. Product allows shared users to attempt updating Apps that are not
>>> owned by them, which leads to errors because they do not have the required
>>> permissions.
>>>
>>> 2. Product allows shared users to delete Apps that are not owned by them
>>> which violate the Application ownership concept.
>>>
>>> The plan to address this is as follows
>>>
>>> *Solution*
>>> 1. *App Owner *: Has ability to delete/update Apps owned by them.
>>>
>>> 2. *Shared user*: Has only Read only access to Apps shared with
>>> them(cannot delete/update).
>>> Deletion and updation of Apps will be restricted at API Store UI level.
>>> App ownership will be   checked before performing App update/delete from
>>> server side in  order to   enforce this for REST API calls
>>>
>>
>> Shared user needs to view, remove and add subscriptions too IMO.
>>
>>>
>>> 3 *Admin shared user* : Has ability to delete/update Apps shared with
>>> them. The reason for this is to address practical issues that take place
>>> when the App owner leaves an organization and there needs to be some way to
>>> delete/update such an Application.
>>>
>>
>> +1
>>
>>>
>>>
>>> Please give your feedback on the above.
>>>
>>>
>>> [1] https://github.com/wso2/product-apim/issues/2690
>>> --
>>> Regards,
>>> Uvindra
>>>
>>> Mobile: 33962
>>>
>>
>>
>>
>> --
>> Nuwan Dias
>>
>> Software Architect - WSO2, Inc. http://wso2.com
>> email : nuw...@wso2.com
>> Phone : +94 777 775 729 <+94%2077%20777%205729>
>>
>
>
>
> --
> Regards,
> Uvindra
>
> Mobile: 33962
>



-- 

*Sanjeewa Malalgoda*
WSO2 Inc.
Mobile : +94713068779

blog
:http://sanjeewamalalgoda.blogspot.com/

___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

2018-02-06 Thread Uvindra Dias Jayasinha

+1 Agreed with Nuwan about how subscriptions should be handled


Regarding the behavior of the Admin shared user, seems this is not required
because we already have an Admin REST API to change Application ownership
available in 2.2.0[1] as discussed in the mail thread[2]. This addresses
the requirement of what would happen if an App owner leaves the
organization. So we will only address the App Owner and Shared User
experience.

[1]
https://docs.wso2.com/display/AM2xx/apidocs/admin/#!/operations#Application#applicationsApplicationIdChangeOwnerPost
[2][C4[]APIM] REST API for changing Owner of a Application

On 7 February 2018 at 11:18, Nuwan Dias  wrote:

>
>
> On Wed, Feb 7, 2018 at 11:14 AM, Uvindra Dias Jayasinha 
> wrote:
>
>> Hi All,
>>
>> It seems that currently we do not have a clear definition in regarding
>> what users can do with shared applications. This has been highlighted in[1]
>> and the plan is to address this as part of the APIM 2.2.0 release.
>>
>> There are two types of users, the *App owner* who creates the App and
>> the *shared user* who is able to view the App that is shared with them
>> by the App owner.
>>
>> *Current issues*
>> 1. Product allows shared users to attempt updating Apps that are not
>> owned by them, which leads to errors because they do not have the required
>> permissions.
>>
>> 2. Product allows shared users to delete Apps that are not owned by them
>> which violate the Application ownership concept.
>>
>> The plan to address this is as follows
>>
>> *Solution*
>> 1. *App Owner *: Has ability to delete/update Apps owned by them.
>>
>> 2. *Shared user*: Has only Read only access to Apps shared with
>> them(cannot delete/update).
>> Deletion and updation of Apps will be restricted at API Store UI level.
>> App ownership will be   checked before performing App update/delete from
>> server side in  order to   enforce this for REST API calls
>>
>
> Shared user needs to view, remove and add subscriptions too IMO.
>
>>
>> 3 *Admin shared user* : Has ability to delete/update Apps shared with
>> them. The reason for this is to address practical issues that take place
>> when the App owner leaves an organization and there needs to be some way to
>> delete/update such an Application.
>>
>
> +1
>
>>
>>
>> Please give your feedback on the above.
>>
>>
>> [1] https://github.com/wso2/product-apim/issues/2690
>> --
>> Regards,
>> Uvindra
>>
>> Mobile: 33962
>>
>
>
>
> --
> Nuwan Dias
>
> Software Architect - WSO2, Inc. http://wso2.com
> email : nuw...@wso2.com
> Phone : +94 777 775 729 <+94%2077%20777%205729>
>



-- 
Regards,
Uvindra

Mobile: 33962
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

2018-02-06 Thread Shani Ranasinghe

On Wed, Feb 7, 2018 at 11:18 AM, Nuwan Dias  wrote:

>
>
> On Wed, Feb 7, 2018 at 11:14 AM, Uvindra Dias Jayasinha 
> wrote:
>
>> Hi All,
>>
>> It seems that currently we do not have a clear definition in regarding
>> what users can do with shared applications. This has been highlighted in[1]
>> and the plan is to address this as part of the APIM 2.2.0 release.
>>
>> There are two types of users, the *App owner* who creates the App and
>> the *shared user* who is able to view the App that is shared with them
>> by the App owner.
>>
>> *Current issues*
>> 1. Product allows shared users to attempt updating Apps that are not
>> owned by them, which leads to errors because they do not have the required
>> permissions.
>>
>> 2. Product allows shared users to delete Apps that are not owned by them
>> which violate the Application ownership concept.
>>
>> The plan to address this is as follows
>>
>> *Solution*
>> 1. *App Owner *: Has ability to delete/update Apps owned by them.
>>
>> 2. *Shared user*: Has only Read only access to Apps shared with
>> them(cannot delete/update).
>> Deletion and updation of Apps will be restricted at API Store UI level.
>> App ownership will be   checked before performing App update/delete from
>> server side in  order to   enforce this for REST API calls
>>
>
> Shared user needs to view, remove and add subscriptions too IMO.
>

That's my opinion as well.

>
>> 3 *Admin shared user* : Has ability to delete/update Apps shared with
>> them. The reason for this is to address practical issues that take place
>> when the App owner leaves an organization and there needs to be some way to
>> delete/update such an Application.
>>
>
> +1
>
Who is this user? a shared user having an admin role assigned? If so, are
we going to enforce a constraint that if apps are shared, and needs to be
modified, it must be shared with an admin role assigned user ?

Are we looking at implementing a permission model like in 3.x for 2.2.x as
well? If not, enforcing the deletion/updating of an app to an admin user
would make the feature a bit restrictive wouldn't it? Do we have a
requirement for such a scenario from a customer? Just asking.

I think having  the apps to be edited by all shared is fine. And maybe we
can only enforce app deletion to an admin shared user then?



>
>>
>> Please give your feedback on the above.
>>
>>
>> [1] https://github.com/wso2/product-apim/issues/2690
>> --
>> Regards,
>> Uvindra
>>
>> Mobile: 33962
>>
>
>
>
> --
> Nuwan Dias
>
> Software Architect - WSO2, Inc. http://wso2.com
> email : nuw...@wso2.com
> Phone : +94 777 775 729 <+94%2077%20777%205729>
>
> ___
> Architecture mailing list
> Architecture@wso2.org
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>


-- 
Thanks and Regards
*,Shani Ranasinghe*
Senior Software Engineer
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware

mobile: +94 77 2273555
Blog: http://waysandmeans.blogspot.com/
linked in: lk.linkedin.com/pub/shani-ranasinghe/34/111/ab
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

2018-02-06 Thread Nuwan Dias

On Wed, Feb 7, 2018 at 11:14 AM, Uvindra Dias Jayasinha 
wrote:

> Hi All,
>
> It seems that currently we do not have a clear definition in regarding
> what users can do with shared applications. This has been highlighted in[1]
> and the plan is to address this as part of the APIM 2.2.0 release.
>
> There are two types of users, the *App owner* who creates the App and the 
> *shared
> user* who is able to view the App that is shared with them by the App
> owner.
>
> *Current issues*
> 1. Product allows shared users to attempt updating Apps that are not owned
> by them, which leads to errors because they do not have the required
> permissions.
>
> 2. Product allows shared users to delete Apps that are not owned by them
> which violate the Application ownership concept.
>
> The plan to address this is as follows
>
> *Solution*
> 1. *App Owner *: Has ability to delete/update Apps owned by them.
>
> 2. *Shared user*: Has only Read only access to Apps shared with
> them(cannot delete/update).
> Deletion and updation of Apps will be restricted at API Store UI level.
> App ownership will be   checked before performing App update/delete from
> server side in  order to   enforce this for REST API calls
>

Shared user needs to view, remove and add subscriptions too IMO.

>
> 3 *Admin shared user* : Has ability to delete/update Apps shared with
> them. The reason for this is to address practical issues that take place
> when the App owner leaves an organization and there needs to be some way to
> delete/update such an Application.
>

+1

>
>
> Please give your feedback on the above.
>
>
> [1] https://github.com/wso2/product-apim/issues/2690
> --
> Regards,
> Uvindra
>
> Mobile: 33962
>



-- 
Nuwan Dias

Software Architect - WSO2, Inc. http://wso2.com
email : nuw...@wso2.com
Phone : +94 777 775 729
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

[Architecture] Clearly defining what operations users can perform on a shared application in APIM

2018-02-06 Thread Uvindra Dias Jayasinha

Hi All,

It seems that currently we do not have a clear definition in regarding what
users can do with shared applications. This has been highlighted in[1] and
the plan is to address this as part of the APIM 2.2.0 release.

There are two types of users, the *App owner* who creates the App and
the *shared
user* who is able to view the App that is shared with them by the App
owner.

*Current issues*
1. Product allows shared users to attempt updating Apps that are not owned
by them, which leads to errors because they do not have the required
permissions.

2. Product allows shared users to delete Apps that are not owned by them
which violate the Application ownership concept.

The plan to address this is as follows

*Solution*
1. *App Owner *: Has ability to delete/update Apps owned by them.

2. *Shared user*: Has only Read only access to Apps shared with them(cannot
delete/update).
Deletion and updation of Apps will be restricted at API Store UI level. App
ownership will be   checked before performing App update/delete from server
side in  order to   enforce this for REST API calls

3 *Admin shared user* : Has ability to delete/update Apps shared with them.
The reason for this is to address practical issues that take place when the
App owner leaves an organization and there needs to be some way to
delete/update such an Application.


Please give your feedback on the above.


[1] https://github.com/wso2/product-apim/issues/2690
-- 
Regards,
Uvindra

Mobile: 33962
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

Re: [Architecture] Clearly defining what operations users can perform on a shared application in APIM

[Architecture] Clearly defining what operations users can perform on a shared application in APIM

10 matches

Site Navigation

Mail list logo

Footer information