IMO It is an Admin API, Only an admin will need to know, who are the users in a role. Process user will not require to know who are the users in a group in user-store. Hmm.. Violating privacy ? :)
But process user only interest in getting user list for task delegation (assignable user list for a task). This is an user API. We can't use above get userList for this purpose. User delegation requires a special API, which do additional validation such as excluding non assignable users, union/intersect groups or uses etc. Thanks, Hasitha. On Wed, May 4, 2016 at 9:23 PM, Manuranga Perera <m...@wso2.com> wrote: > So will getting a list of users for a role (in IS) a admin or user task? > > On Wed, May 4, 2016 at 11:42 AM, Hasitha Aravinda <hasi...@wso2.com> > wrote: > >> Hi Manu, >> >> In my point of view, we have to decide it based on what API does and who >> are the actual users involve. >> >> In BPS, we have two sets of users: workflow participants and admin >> user/devOps of the BPS. Based on these users we can categorized BPS APIs >> into two sets. >> >> - Admin APIs : There are few APIs like artifact deployer API, >> accessed only by administrators of the server or devOps. >> >> >> - User APIs : BPMN Rest API and HumanTask API are user APIs, because >> these APIs only accessed by participants of processes and user tasks. But >> we can argue some of the operations are admin operations, but those are >> business admin operations. These resources/operations need to >> be authorized using an ACL, based on current user and his role in workflow >> or user-task. >> >> For example in HumanTask [1], we have several roles i.e. Business >> Administrator, Potential Owners, Excluded Owners, Stakeholders etc. Based >> on current user and his role in defined task, user are authorized to >> perform an operation. >> >> IMO having clear separations between User API and Admin API may >> important when securing these APIs separately. >> >> [1] - >> http://docs.oasis-open.org/bpel4people/ws-humantask-1.1-spec-cs-01.html#_Toc261430341 >> >> Thanks, >> Hasitha. >> >> On Wed, May 4, 2016 at 7:55 PM, Manuranga Perera <m...@wso2.com> wrote: >> >>> How do we define an admin vs non-admin API? >>> Is getting list of users different from getting the list of processes? >>> >>> A customer written UI may have to call both. We can argue that some >>> things are 100% admin eg: shutdown server. But to me this seems like an >>> arbitrary decision. >>> >>> >>> On Wed, May 4, 2016 at 12:14 AM, Hasitha Aravinda <hasi...@wso2.com> >>> wrote: >>> >>>> Another thing, we need to consider exposing different ports for user >>>> APIs and Admin APIs to have a clear separation. In C4 all user and admin >>>> APIs exposed in 9443 and 9763. AFAIK this is not supported in current MSF4J >>>> OSGi version. >>>> >>>> Thanks, >>>> Hasitha. >>>> >>>> On Wed, May 4, 2016 at 9:26 AM, Nandika Jayawardana <nand...@wso2.com> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> In all the carbon platform versions up to now, we used 9443, and 9763 >>>>> ports for admin services for all server products. Are we going to use the >>>>> same ports for C5. >>>>> >>>>> Regards >>>>> Nandika >>>>> >>>>> -- >>>>> Nandika Jayawardana >>>>> WSO2 Inc ; http://wso2.com >>>>> lean.enterprise.middleware >>>>> >>>>> _______________________________________________ >>>>> Architecture mailing list >>>>> Architecture@wso2.org >>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>> >>>>> >>>> >>>> >>>> -- >>>> -- >>>> Hasitha Aravinda, >>>> Senior Software Engineer, >>>> WSO2 Inc. >>>> Email: hasi...@wso2.com >>>> Mobile : +94 718 210 200 >>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> Architecture@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >>> >>> -- >>> With regards, >>> *Manu*ranga Perera. >>> >>> phone : 071 7 70 20 50 >>> mail : m...@wso2.com >>> >> >> >> >> -- >> -- >> Hasitha Aravinda, >> Senior Software Engineer, >> WSO2 Inc. >> Email: hasi...@wso2.com >> Mobile : +94 718 210 200 >> > > > > -- > With regards, > *Manu*ranga Perera. > > phone : 071 7 70 20 50 > mail : m...@wso2.com > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- -- Hasitha Aravinda, Senior Software Engineer, WSO2 Inc. Email: hasi...@wso2.com Mobile : +94 718 210 200
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture