Yes, having a dedicated permissions string would be best IMO. Can we finalize on a permissions string for this?
@IS Team, what is the plan of applying the Dynamic Client Registration PR to the release branch? We need to make a decision whether we're going to use this one or the one we have locally at the moment to proceed. Also, we need to decided where to provide feature enhancements as the one being discussed on this thread. Thanks, NuwanD. On Tue, Mar 1, 2016 at 6:28 PM, Malintha Amarasinghe <malint...@wso2.com> wrote: > Hi Darshana, > > Thanks for the quick response. I will go through the link. > > Thanks, > Malintha > On Mar 1, 2016 5:09 PM, "Darshana Gunawardana" <darsh...@wso2.com> wrote: > >> Hi Malintha, >> >> Yes, the better option is to create new permissions for DCR, rather >> reusing already defined permissions. You can refer [1] to see how the >> recently developed IS workflow component defined its permission model and >> it's hierarchy. >> >> [1] >> http://cdwijayarathna.blogspot.com/2016/01/permission-model-of-wso2-is-workflow.html >> >> Thanks, >> >> On Tue, Mar 1, 2016 at 6:20 AM, Malintha Amarasinghe <malint...@wso2.com> >> wrote: >> >>> Hi All, >>> >>> Currently Dynamic Client Registration (DCR) module in API Manager [1] >>> allows to create OAuth applications irrespective of user permissions. That >>> might lead to problems as any user can directly create Apps which might be >>> unusable and they can flood the system too. >>> >>> Currently in API Manager we have following permissions defined. >>> >>> /permission/admin/manage/api/create >>> /permission/admin/manage/api/publish >>> /permission/admin/manage/api/subscribe >>> >>> We initially thought of letting user to create OAuth apps through DCR >>> only if user has any of the above permissions. But it then allows *ALL* >>> creators/subscribers and publishers to create OAuth apps through DCR and we >>> cannot restrict that. >>> >>> Hence, we are suggesting to use a new permission for create an OAuth app >>> using DCR. Then we can specifically choose which user can access DCR. >>> >>> Please share your thoughts. >>> >>> PS: >>> As per [2] current DCR module of API Manager will be moved as an IS >>> component. >>> >>> Thanks, >>> Malintha >>> >>> [1] >>> https://github.com/wso2/carbon-apimgt/tree/master/components/apimgt/org.wso2.carbon.apimgt.rest.api.dcr/src/main/java/org/wso2/carbon/apimgt/rest/api/dcr/web >>> [2] https://github.com/wso2/carbon-identity/pull/1712/files >>> >>> -- >>> Malintha Amarasinghe >>> Software Engineer >>> *WSO2, Inc. - lean | enterprise | middleware* >>> http://wso2.com/ >>> >>> Mobile : +94 712383306 >>> >> >> >> >> -- >> Regards, >> >> >> *Darshana Gunawardana*Senior Software Engineer >> WSO2 Inc.; http://wso2.com >> >> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware >> > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Nuwan Dias Technical Lead - WSO2, Inc. http://wso2.com email : nuw...@wso2.com Phone : +94 777 775 729
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
