IAM Team,
Currently we don't have a exclusive permission to login to the user portal;
we use "/permission/admin/login". I think we need to have a dedicated
permission for that. Why?
1. No way to allow users to login to user portal but restrict users from
logging in to management console.
2. We could give this new permission to "INTERNAL/everyone" role. So that
any new users added to the system, via admin console, SCIM, Self sign-up or
JIT provisioning, will be able to login to the user portal. If we don't
want that we can simply take off that permission from the
"INTERNAL/everyone" role.
I could think of further improving 2 above, by having separate roles for
each of the following scenarios.
a) Admin created users (Resident SP) - one role for all
b) JIT provisioned users - one role per IdP
c) Self signup users - we already have "selfsignup" role from IS 5.3.0
onwards.
d) External service provider created users via SCIM - one role per SP
All the above roles can have the new permission, and selectively taken off
if not needed. In addition we can use these roles to manage permissions for
these well known groups of users who came from the same source.
I stumbled upon this issue when I was trying to do "Email verification and
password request" scenario. Once I click the link in the email that was
sent to my inbox, and confirm, and update my new password and confirm it, I
was sent to the user portal to login. But since I didn't have the required
authorization setup I failed to login. Bit of a bad user experience there.
Shall we try to introduce a new permission for user portal and give it by
default to "INTERNAL/everyone" for IS 5.4.0?
Thanks & Regards,
Johann.
--
*Johann Dilantha Nallathamby*
Senior Lead Solutions Engineer
WSO2, Inc.
lean.enterprise.middleware
Mobile - *+94777776950*
Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
