Hi Amalka, Apparently when the AppOwner logs in without a groupId, he/she sees all the Apps (even the one's created with different groupIds) in the same screen. So the problem would only be there for AppDevelopers.
Answering to your query; it depends on how you get the group Id. If we assume that SSO is enabled at Store, when trying to login directly to Store, users (only talking about App Owners here) will be re-directed to an IDP, and whatever the groupId set from IDP will be used for fetching Apps. If the IDP doesn't set a groupId, all the apps will be shown. On Thu, Jan 14, 2016 at 8:35 AM, Amalka Subasinghe <ama...@wso2.com> wrote: > > With this Amila's explanation; when a appowner login to the APIM via two > different apps of AF, will see two different views in APIM. > If the same appowner login to the APIM directly, what will he see in APIM? > > I believe when a user login to the APIM; (either via AF or directly), he > should see the same view every time. (if that user belongs to two different > groups he should see all subscriptions belongs to all groups). > > > On Wed, Jan 13, 2016 at 11:05 PM, Amila De Silva <ami...@wso2.com> wrote: > >> Hi Danushka/Amalka, >> >> It's not that the scenario of user belonging to two or more groups is not >> supported in the current version. It's only that the way it currently >> happens slightly differs from how you need it. >> >> What we are basically trying to achieve is, displaying Apps, >> subscriptions when user belongs to two or more groups. A single user can >> have many group Ids, but in a single session user can only have one group >> Id. >> AFAIU, with the existing implementation following can be achieved; >> 1. AppOwner creates 2 Apps in AppF , App1 (with groupId as >> appowner1_app1) and App2 (groupId being appowner1_app2). >> 2. I assume Apps in APIM gets automatically created while doing 1. >> 3. AppOwner selects App1 in AppF and tries to see the relevant App in >> APIM. >> 4. AppOwner is re-directed to API Store with groupId set as >> appowner1_app1 (need to discuss how/where this is set) >> 5. AppOwner is logged into the Store as a user with groupId >> appowner1_app1, therefore only sees App1. >> 6. AppOwner logs out from Store. >> 7. AppOwner goes to AppF and selects App2, follows a link that re-directs >> to APIMStore. >> 8. AppOwner now goes to Store as a user in appowner1_app2 group, so only >> sees App2. >> >> To view each App, user would need to make a trip back to the AppF. It >> might be possible eliminate step 6, and if it's so, we might have to change >> subscription.jag (and several other jags) to clear out the groupId set in >> the session, and set the one coming with the request. There are few points >> that needs to be discussed more with the above steps, but this would be the >> way it would look like. >> >> It's true that the default group Id extractor gets the group Id from >> http://wso2.org/claims/organization claim, but it doesn't have to be >> like that in every case. In the very first time it was written thinking >> that Group ID is coming with the SAML Response sent back from IDp. >> >> On Wed, Jan 13, 2016 at 6:37 PM, Danushka Fernando <danush...@wso2.com> >> wrote: >> >>> Hi Nuwan >>> The issue of adding extension to cloud is we have to add it to API cloud >>> and it will affect all API cloud users who don't use APP cloud also. >>> And since multiple groups per user seems to be a valid use case how >>> complex will this be to implement? >>> >>> Thanks & Regards >>> Danushka Fernando >>> Senior Software Engineer >>> WSO2 inc. http://wso2.com/ >>> Mobile : +94716332729 >>> >>> >>> On Jan 13, 2016 3:53 PM, "Lakshman Udayakantha" <lakshm...@wso2.com> >>> wrote: >>> >>>> Hi Nuwan, >>>> >>>> Even though we have extracted multiple group ids using group id >>>> extractor, DAO classes use one group id to extract the applications and >>>> subscriptions. I think we have to implement to get all the applications and >>>> subscriptions if user are in several groups. >>>> >>>> Thanks >>>> >>>> On Wed, Jan 13, 2016 at 2:18 PM, Nuwan Dias <nuw...@wso2.com> wrote: >>>> >>>>> >>>>> >>>>> On Wed, Jan 13, 2016 at 12:32 PM, Amalka Subasinghe <ama...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Nuwan, >>>>>> >>>>>> We need APIM support to show subscribed API, when there's 1 user >>>>>> assigned to 2 user groups. >>>>>> >>>>>> *Our current AF APIM integration flow works as follows.* >>>>>> >>>>>> let's say we have a tenant foo.com and users - appowner1 and >>>>>> developer1 >>>>>> App owner1 creates an AF application 'AFapp1' and assign devloper1 as >>>>>> a developer of that application. >>>>>> according to the current implementation only the appowner1 can >>>>>> subscribe to the APIM API. >>>>>> [When appowner1 login to the APIM, we create an application 'AFapp1' >>>>>> in APIM side and selecting that application appowner1 can subscribe to an >>>>>> API] >>>>>> Then appowner1 can see subscribed APIs in AF side, where developers >>>>>> can't see that API. >>>>>> >>>>>> So we need to implement APIM group subscriptions in AF. >>>>>> to implement it we have to set the organization claim (as eg: >>>>>> 'foo.com_AFapp1') for appowner1 and developer1. >>>>>> Then both users can see the subscribed API. >>>>>> >>>>>> *We have another use case;* >>>>>> basically our user grouping happens per AF application and 1 user can >>>>>> be in 2 groups >>>>>> >>>>>> Let's say appowner1 creates an another application AFapp2 >>>>>> then appowner1 is belongs to 2 user groups. So we need to assign two >>>>>> values for the organization claim. (foo.com_AFapp1, foo.com_AFapp2) >>>>>> appowner1 want to see subscribed API in APIM side based on that 2 >>>>>> organizations. >>>>>> >>>>>> As I know, APIM does not support this when there's a more than 1 >>>>>> group assigned for the organization claim. >>>>>> But this is a required use case for the AF/cloud, and we can't >>>>>> customize the GroupingExtractor due to maintainability issues in cloud. >>>>>> >>>>>> Can this improvement provide by APIM? >>>>>> >>>>> >>>>> It can be done. But we've already done product plans for releases >>>>> covering the year. It might take time to get this into the product as a GA >>>>> release. I guess the timely solution is to customize the >>>>> GroupingExtractor. >>>>> >>>>> What maintainability concerns do you have? If a standard extension >>>>> point in the product is a maintainability concern it makes no sense to >>>>> have >>>>> those extension points at all. So I would like to understand those >>>>> concerns >>>>> and improve if possible. >>>>> >>>>>> >>>>>> Thanks >>>>>> Amalka >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Jan 12, 2016 at 1:42 PM, Amalka Subasinghe <ama...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Currently only the app owner allows to subscribed to an API, >>>>>>> generate keys and see subscribed APIs, where other users are not >>>>>>> allowed as >>>>>>> showed in the below table. >>>>>>> >>>>>>> >>>>>>> Subscribe to API Generate Keys View subscribed APIs in AF side View >>>>>>> Prod keys in AF side View Sandbox keys in AF side App owner Y Y Y Y >>>>>>> Y Developer >>>>>>> >>>>>>> >>>>>>> >>>>>>> Y QA >>>>>>> >>>>>>> >>>>>>> >>>>>>> Y DevOps >>>>>>> >>>>>>> >>>>>>> Y Y >>>>>>> We want to improve the AF - APIM integration as follows. So we need >>>>>>> implement $subject. >>>>>>> 1. making both app owner and developer can subscribe to an API and >>>>>>> generate keys >>>>>>> 2. making all users to see subscribed API per application >>>>>>> >>>>>>> >>>>>>> Subscribe to API Generate Keys View subscribed APIs in AF side View >>>>>>> Prod keys in AF side View Sandbox keys in AF side App owner Y Y Y Y >>>>>>> Y Developer Y Y Y >>>>>>> Y QA >>>>>>> >>>>>>> Y >>>>>>> Y DevOps >>>>>>> >>>>>>> Y Y Y >>>>>>> *Things to do:* >>>>>>> >>>>>>> 1. All the users of a particular app we need to maintain as a group. >>>>>>> >>>>>>> In APIM side they uses http://wso2.org/claims/organization claim to >>>>>>> group the users. We have to set this claim (eg: app key as the value of >>>>>>> the >>>>>>> claim) when appowner or developer try to click on 'Go to API Manager' >>>>>>> button. >>>>>>> Currently we use a role app_appName to group the users of a >>>>>>> particular application in AF. If we use this we have to implement a >>>>>>> custom >>>>>>> grouping extractor to get the users of a particular group. >>>>>>> >>>>>>> >>>>>>> *Issues: *a. Since we don't set the claim for QA and DevOps users, >>>>>>> they can't view subscribed APIs in AF side, and If we add the claim they >>>>>>> also will be able to subscribe to APIs and generate keys. So we need to >>>>>>> find a way to view subscribed api for a particular application by QA and >>>>>>> Devops users. >>>>>>> b. With this implementation Developer can see prod keys also. >>>>>>> >>>>>>> >>>>>>> 2. Make Go to API Manager and Sync Keys buttons enabled only to >>>>>>> appowner and developer. >>>>>>> For this we can use resource permissions we already have. >>>>>>> >>>>>>> >>>>>>> 3. Need to improve/test all the rest calls we do with APIM to work >>>>>>> with groups and fix if there's any issue. >>>>>>> >>>>>>> - Login - When user clicks on 'Go to API Manager' button of a >>>>>>> particular app, it should login to APIM and show the subscribed APIs, >>>>>>> listed under selected application. >>>>>>> - Create application >>>>>>> - Remove application >>>>>>> - Get published APIs by application >>>>>>> - List subscription >>>>>>> - Get applications >>>>>>> >>>>>>> [1] https://wso2.org/jira/browse/APPFAC-3217 >>>>>>> >>>>>>> Thanks >>>>>>> Amalka >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Amalka Subasinghe >>>>>> Senior Software Engineer >>>>>> WSO2 Inc. >>>>>> Mobile: +94 77 9401267 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>> Technical Lead - WSO2, Inc. http://wso2.com >>>>> email : nuw...@wso2.com >>>>> Phone : +94 777 775 729 >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> Lakshman Udayakantha >>>> WSO2 Inc. www.wso2.com >>>> lean.enterprise.middleware >>>> Mobile: *0714388124* >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> *Amila De Silva* >> >> WSO2 Inc. >> mobile :(+94) 775119302 >> >> > > > -- > Amalka Subasinghe > Senior Software Engineer > WSO2 Inc. > Mobile: +94 77 9401267 > -- *Amila De Silva* WSO2 Inc. mobile :(+94) 775119302
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
