-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Design fine-grained access control within record manager #202
Comments
If I understand the task correctly, we can add two different groups for operators and suppliers, as shown in the picture below: Each group can have its own subgroups that inherit roles from the parent group. This allows us to create different subgroups with specific roles. |
Open questions:
|
Yes, we can retrieve groups in the token, see https://stackoverflow.com/questions/56362197/keycloak-oidc-retrieve-user-groups-attributes |
|
@blcham |
@blcham We should discuss a list of roles for each group. |
|
@blcham
If Keycloak saves personal information about users to the repository, why can't it save roles and groups as well? It doesn't make sense to handle this on the backend because, with every request, the system would need to check Keycloak for changes and then update the repository accordingly. |
The Publish button is in the Operator extension (not Supplier). Can you explain what this button does? |
publish button imports all completed records from operator deployment to supplier deployment rm_edit_organizations_records --> rm_edit_organization_records rm_import_codelist --> rm_import_codelists |
… exception if the provided role does not exist
http-nio-8080-exec-7] WARN o.s.w.s.m.s.DefaultHandlerExceptionResolver - Resolved [org.springframework.http.converter.HttpMessageNotWritableException: Could not write JSON: Cannot invoke "cz.cvut.kbss.study.model.RoleGroup.getRoles()" because "this.roleGroup" is null]
…out security context
…E_USER access to institution retrieval
…E_USER access to institution retrieval
One of main goals is to remove extensions SUPPLIER and OPERATOR.
Note:
EXTENSIONS: "${RECORD_MANAGER_EXTENSIONS:-supplier}"
)Related to issue: #206
A/C:
The text was updated successfully, but these errors were encountered: