Merge Permissions from all required Identity Services

Current Situation

When there is more than one required Identity Service then permissions of the Identity Service with the highest ordering are assigned the user account's access token for the current session.

Desired Behavior

When there is more than one enabled and required Identity Service then permissions of all required Identity Services should be merged.

Permissions provided by an Identity Service of type VAULT cannot be merged as a login would be required to retrieve policies from the Vault-Server.

Test Cases

There is no enabled Identity Service that is required.

Then no merge takes place. The roles, permissions and folders of the first successful logged in Identity Service will be used.

There is at least one enabled Identity Service that is required

JOC Cockpit permissions and Controller permissions, roles and folders will be merged.

• All permissions and folders for JOC Cockpit
• All permissions and folders for Controller Default
• And per specific Controller each corresponding permission set and folders

When a user account logs in then the account

• is assigned merged permissions of all roles of all required Identity Services
• is assigned merged permissions of all folders of all required Identity Services
  • Recursive folders beat non-recursive folders
• is assigned the merged permissions of all required Identity Services

• • Excluded permissions beat included permissions

Example

There are two required Identity Services I1 and I2

• There is a user account u1 in I1 and I2
  • u1 have in I1 the role A
  • A in I1 has the permission x
  • u1 has in I1 the role A,B
  • A in I2 has the permission y
  • B in I2 has the permission -x (the permission x is revoked).
    ==> Result: u1 has the permission y