Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1268

JOC Cockpit should show permissions for user accounts

    XMLWordPrintable

Details

    • Feature
    • Status: Released (View Workflow)
    • Minor
    • Resolution: Fixed
    • 2.2.3
    • 2.3.0
    • None
    • None

    Description

      Current Situation

      For a user account that did login the permissions are displayed in the profile.

      Desired Behavior

      The permissions view

      • should have a section for JOC Cockpit permissions.
      • should have a section for Controller default permissions.
      • should have a section for permissions specific for a Controller.
      • the currently displayed permissions that are specific for a Controller permissions should be modifiable by a Combobox.

      In the Manage Identity Service view in section Accounts

      • the permissions for each account should be displayed with the same view as used in the profile,
      • the view displays permissions as applied when the user account is logged in.
      • If we find a number of required Identity Services then the merged permissions for the user account including permissions from any required Identity Service is displayed.
      • If we find no required Identity Service the permissions for the selected account in the actual Identiy Service are shown.
        • If the same account is also configured in another Identity Service possibly with another password it is indeterminate, which Identity Service is used when the account logs in. It depends on the ordering and the used password what Identity Service will be used. It would be determinated when it could be identified whether the passwords are the same. But this is not possible as the hash for the same password is different as a random salt is used to create the hash. Therefore the permissions are shown for the actual Identity Servcice independet from the fact, whether the account is also configured in another Identity Service or the Identity Service is enabled or disabled.
      • The permissions for an Identity Service of type VAULT cannot be merged as the roles are known only at the point in time of login. A login by the API is not possible as the password is unknown.

      To achieve this a new webservice is created

      /iam/account/permissions

      {"identityServiceName":"JOC-myIdentityService","accountName":"myAccount"}

      Example

      • Identity Service I1 (not required)
        • has role R1
          • has permission P1
      • Identity Service I2 (required)
        • has role R2
          • with permission P2a,P2b
      • Identity Service I3 (required)
        • has role R2
          • with permission -P2b
        • has role R4
          • with permission P4

      Account A1 in Identity Service I1 will show

      • roles: R2,R3,R4
      • permissions: P2a,P4
      Explanation

      When the user account A1 logs in then the required Identity Services I2 and I3 will be considered. From I2 with R2 we find the permissions P2a and P2b. Identity Service I3 revokes P2b with R2 and adds P4 with R4.
       

      Attachments

        Activity

          People

            ztsa0019 Sourabh Agrawal
            ur Uwe Risse
            Divyani Rathore Divyani Rathore
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: