Search code examples
wso2wso2-identity-serverscim2

Assign different role to a group member

I am looking for advice on a not so particular situation.

I currently have roughly 20000 stores. All stores have admins, managers and user roles.

  • An admin can create/manage any roles
  • A manager can create/manage only user role
  • A user can login and access custom functionality.

Any persona can be assigned to 1 or multiple store and can have 1 or multiple roles for that particular store. Ie:

  • StoreA has userA as Admin and userB as Manager
  • StoreB has userA as User and userB as Admin

At first, I converted my stores to be groups. But since roles are binded to the group, I would have still have 3 roles for each group (20000 groups and 60000 roles - Group StoreA, Roles: StoreA_Admin, StoreA_Manager, StoreA_User, etc...). Not sure if it is the right decision, And I am not sure about the performance.

Then, I kept the stores as groups, but instead of creating roles, I created custom multivalued attributes that saves the group uid. That worked in carbon, as well as the API, but the console doesn't like the multivalued fields. And if another role is introduced, I would have to create another field.

Any thought on how to approach this situation ?

Solution

  • We can map your story to IS groups and roles as follows.

    enter image description here Please note that groups and roles are treated as two separate resources since IS-5.11.0.

    Refer to:

    That separation is not clearly visible in the management console. So you can use the console application to create groups and roles.

    • Group used to represent a collection of users in the user store. One user can belong to zero or more groups.
    • Role is a collection of permissions. A role can have zero or more permissions.
    • We can assign a role either to a group/ a user.

    Due to this statement:

    A user can log in and access custom functionality.

    We don't need to assign any role to normal business users specifically.No specific role is required to login into the business application via identity server basic authentication. In case your business application has a role-based access control need to assign a role to business users as well. Otherwise, every user will get login permissions upon successful authentication, it should be enough to do business operations in the application.

    In your case, if any store's admin has the same set of permissions and any manager has the same set of permissions, you can't just evaluate the permissions and authorize the requests. For eg: If user B is the manager of store A and admin of store B, he has inherited both admin and manager roles related permissions. But user B performs a request on store B, you have to authorize the request based on only the roles related to store B.