On Fri, Sep 1, 2017 at 12:55 AM, Johann Nallathamby <joh...@wso2.com> wrote:
> IAM Team, > > Currently we don't have a exclusive permission to login to the user > portal; we use "/permission/admin/login". I think we need to have a > dedicated permission for that. Why? > > 1. No way to allow users to login to user portal but restrict users from > logging in to management console. > > 2. We could give this new permission to "INTERNAL/everyone" role. So that > any new users added to the system, via admin console, SCIM, Self sign-up or > JIT provisioning, will be able to login to the user portal. If we don't > want that we can simply take off that permission from the > "INTERNAL/everyone" role. > > I could think of further improving 2 above, by having separate roles for > each of the following scenarios. > a) Admin created users (Resident SP) - one role for all > b) JIT provisioned users - one role per IdP > c) Self signup users - we already have "selfsignup" role from IS 5.3.0 > onwards. > d) External service provider created users via SCIM - one role per SP > All the above roles can have the new permission, and selectively taken off > if not needed. In addition we can use these roles to manage permissions for > these well known groups of users who came from the same source. > > I stumbled upon this issue when I was trying to do "Email verification and > password request" scenario. Once I click the link in the email that was > sent to my inbox, and confirm, and update my new password and confirm it, I > was sent to the user portal to login. But since I didn't have the required > authorization setup I failed to login. Bit of a bad user experience there. > > Shall we try to introduce a new permission for user portal and give it by > default to "INTERNAL/everyone" for IS 5.4.0? > +1 for this. We must address this for IS 5.4.0. https://wso2.org/jira/browse/IDENTITY-6390 > > Thanks & Regards, > Johann. > > -- > > *Johann Dilantha Nallathamby* > Senior Lead Solutions Engineer > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture