Add a READER role that gives read access to users and groups info

[garaimanoj]

No description provided.

[rmiccoli]

I notice that a user with monitoring privileges (ROLE_READER) is not able to access to /scim/Users and /iam/scope_policies - they get 403. Is it intentional?

Also, user can try to remove members from a group getting, of course, a 403 error after clicking. Should the Remove button be hidden?

[enricovianello]

It seems to me all ok

[enricovianello]

These changes are ok to me and I have nothing to correct 👍
Coverage is ok but we didn't add specific tests about this role. I'd say it's important to add some specific tests in particular that check those users are not allowed to get for example x509 PEM certificates of these users. But the real problem is that admins currently can see them and probably what we wants is that both admins and readers can't access them and tests should be oriented to this behavior. Then, probably, we need a different issue that addresses this change, which is more complex: currently there are no views on SCIM model objects. This change is required before introducing this READER role. I'm realizing this now. We can talk about this during today IAM community meeting.

[garaimanoj]

I notice that a user with monitoring privileges (ROLE_READER) is not able to access to /scim/Users and /iam/scope_policies - they get 403. Is it intentional?

Also, user can try to remove members from a group getting, of course, a 403 error after clicking. Should the Remove button be hidden?

Now ROLE_READER can access to /scim/Users and /iam/scope_policies. Remove button has been disabled.

[rmiccoli]

Quality Gate passed

Issues 59 New issues 0 Accepted issues

Measures 0 Security Hotspots 100.0% Coverage on New Code 0.0% Duplication on New Code

See analysis details on SonarCloud

Try to solve these issues where possible

[garaimanoj]

Organization Management is available in sidebar menu when registration is enabled. I have added additional check for READER.

[garaimanoj]

These changes are ok to me and I have nothing to correct 👍 Coverage is ok but we didn't add specific tests about this role. I'd say it's important to add some specific tests in particular that check those users are not allowed to get for example x509 PEM certificates of these users. But the real problem is that admins currently can see them and probably what we wants is that both admins and readers can't access them and tests should be oriented to this behavior. Then, probably, we need a different issue that addresses this change, which is more complex: currently there are no views on SCIM model objects. This change is required before introducing this READER role. I'm realizing this now. We can talk about this during today IAM community meeting.

As of now I have hidden the x509 certificate section from Admin and Reader from UI. Could you please raise an issue with more details regarding the new view of SCIM modal task.

[rmiccoli]

These changes are ok to me and I have nothing to correct 👍 Coverage is ok but we didn't add specific tests about this role. I'd say it's important to add some specific tests in particular that check those users are not allowed to get for example x509 PEM certificates of these users. But the real problem is that admins currently can see them and probably what we wants is that both admins and readers can't access them and tests should be oriented to this behavior. Then, probably, we need a different issue that addresses this change, which is more complex: currently there are no views on SCIM model objects. This change is required before introducing this READER role. I'm realizing this now. We can talk about this during today IAM community meeting.

As of now I have hidden the x509 certificate section from Admin and Reader from UI. Could you please raise an issue with more details regarding the new view of SCIM modal task.

Hi Manoj, both admins and users with ROLE_READER should see users' x509 certificates from UI. The idea was to hide only the pem-encoded certificate from SCIM API.

[garaimanoj]

I am checking the Sonar analysis issues

[enricovianello]

These changes are ok to me and I have nothing to correct 👍 Coverage is ok but we didn't add specific tests about this role. I'd say it's important to add some specific tests in particular that check those users are not allowed to get for example x509 PEM certificates of these users. But the real problem is that admins currently can see them and probably what we wants is that both admins and readers can't access them and tests should be oriented to this behavior. Then, probably, we need a different issue that addresses this change, which is more complex: currently there are no views on SCIM model objects. This change is required before introducing this READER role. I'm realizing this now. We can talk about this during today IAM community meeting.

As of now I have hidden the x509 certificate section from Admin and Reader from UI. Could you please raise an issue with more details regarding the new view of SCIM modal task.

Hi Manoj, both admins and users with ROLE_READER should see users' x509 certificates from UI. The idea was to hide only the pem-encoded certificate from SCIM API.

The idea is to use some mechanism to hide the PEM encoded certificate from the ScimUser object returned by SCIM endpoints. The Jackson Java Views can be used (they are already used into ClientDetails object for example) or we can add something like this JSONFilter, used to filter passwords from the returned SCIMUser object (used as an annotation).
Probably this second approach is the easier and which doesn't mean lots of changes.

We could probably add a similar annotation to ScimX509Certificate object which is used inside the ScimIndigoUser extension.

[sonarcloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud