Project

General

Profile

Development #751

Improve the manager based on RBAC

Added by Mikaël Ates almost 8 years ago. Updated over 1 year ago.

Status:
Fermé
Priority:
Haut
Category:
-
Target version:
Start date:
12 Oct 2011
Due date:
% Done:

100%

Patch proposed:
No
Planning:
No

Related issues

Related to Authentic 2 - Bug #6143: /manage : we should allow a superadmin activate is_admin Fermé 12 Dec 2014
Related to Authentic 2 - Development #5541: Add a page to manage providers Nouveau 19 Sep 2014
Related to Authentic 2 - Bug #5658: Review permission checking in the manager Rejeté 09 Oct 2014
Blocks Authentic 2 - Development #5262: Manage authorizations to connect to a service provider Rejeté 12 Aug 2014

Associated revisions

Revision 152f1a6f (diff)
Added by Benjamin Dauvergne over 4 years ago

custom_user: add view permission to user and group model

refs #751

Revision d65195b1 (diff)
Added by Benjamin Dauvergne over 4 years ago

custom_user: add new permission on groups, change_permissions_group

refs #751

Revision 25ad9166 (diff)
Added by Benjamin Dauvergne over 4 years ago

manager: rewrite manager using RBAC for authorization and limiting view of models

Also add page to manage organizational units and roles.

fixes #6143
fixes #751

History

#1 Updated by Benjamin Dauvergne about 5 years ago

  • Patch proposed set to No

Discussion on authorization in authentic restarted thanks to current tickets #5261 and #4775:

First my idea for an authorization framework datamodel:

Action  = (Slug)
Permission = (Action, Object) # ex. ('login', SAML provider#01)
Role = (Name, Slug, [Permission])
UserRoleMapping = (User, Role)
GroupRoleMapping = (Group, Role)

Maybe we should restrain from defining any kind of data model and just try to create an API that allow service providers to know when they can allow login or not.

Some grand goal for any authorization framework:
  • be as simple as possible for getting a working implementation fast, but allow extensions,
  • provide a hierarchical role model with inheritance
  • long term: allow to import authorization model from service provider locally, maybe not natively but by allowing multiple authorization backend to be loaded at the same time and answer to authorization requests:
    • a backend could for example synchronize a list of distant roles so that all management can be done in authentic without having to manually recreate the role mode on its side (roles from w.c.s.),
    • reversely roles defined in authentic could be given some context and be replicated to the service provider when they are local to it.
I will start here a list of authorization that we could ask to this system:
  • login on service provider #04 to user/group #05
  • add attribute 'xyz' with value 'abc' to user/group #07 on service provider #02
  • manage users in group 'Administrators of service provider #05'

#2 Updated by Benjamin Dauvergne over 4 years ago

  • Priority changed from Normal to Bas

#3 Updated by Benjamin Dauvergne over 4 years ago

  • Related to Bug #6143: /manage : we should allow a superadmin activate is_admin added

#4 Updated by Benjamin Dauvergne over 4 years ago

#5 Updated by Benjamin Dauvergne over 4 years ago

  • Priority changed from Bas to Haut
  • Subject changed from Authentic2 administration based on RBAC to Improve the manager based on RBAC
  • Assignee changed from Mikaël Ates to Benjamin Dauvergne

#6 Updated by Benjamin Dauvergne over 4 years ago

  • Related to Bug #5658: Review permission checking in the manager added

#7 Updated by Benjamin Dauvergne over 4 years ago

  • Target version changed from future to 2.1.12

#9 Updated by Benjamin Dauvergne over 4 years ago

  • Target version changed from 2.1.12 to 2.1.13

#10 Updated by Benjamin Dauvergne over 4 years ago

  • Target version changed from 2.1.13 to 2.2.0

#11 Updated by Benjamin Dauvergne over 4 years ago

  • % Done changed from 0 to 100
  • Status changed from Nouveau to Résolu (à déployer)

#12 Updated by Benjamin Dauvergne over 3 years ago

  • Status changed from Résolu (à déployer) to Solution déployée

#13 Updated by Benjamin Dauvergne over 1 year ago

  • Status changed from Solution déployée to Fermé

Also available in: Atom PDF