Provide capability to update shared user profile and resolve the shared profile based on organization hierarchy

[AnuradhaSK]

Problem

WSO2 Identity Server (IS) currently has user sharing functionality to allow a single user identity to belong to multiple organizations, with the parent organization managing the user’s credentials. Once a user is shared with sub-organizations, different entitlements (roles and groups) can be assigned to the user within those sub-organizations. However, there is a restriction as user’s profile cannot be edited.
Therefore, there is no way to manage or customize specific attributes for that user on a per-organization basis.

Proposed Solution

To address this, we introduce a metadata property for each local user attributes (attributes managed at user stores external to IS) and identity attribute(attributes managed at the IS data layer) named “SharedProfileValueResolvingMethod”, which can have one of the following values:

• FromOrigin
• FromSharedProfile
• FromFirstFoundInHierarchy

Also, allow to edit the attributes in the shared profile if the above mentioned metadata is set to FromSharedProfile or FromFirstFoundInHierarchy.

Then, resolve the shared user profile according to claim's SharedProfileValueResolvingMethod value.

Alternatives

No response

Version

7.1.0

[AnuradhaSK]

PRs:

BE PRs:

1. Add getLocalClaim service to claim meta data mgt service carbon-identity-framework#6245
2. Add SharedProfileValueResolvingMethod meta data to local claims carbon-identity-framework#6246
3. Validate SharedProfileValueResolvingMethod change on claim update  carbon-identity-framework#6247
4. Set Default SharedProfileValueResolvingMethod for local claims in Unified Claim Manager carbon-identity-framework#6302
5. Return SharedProfileValueResolvingMethod property value for each claim in /scim2/Schemas API  wso2-extensions/identity-inbound-provisioning-scim2#592
6. Add sharedProfileValueResolvingMethod as first class attribute to claim mgt API identity-api-server#766
7. Govern Shared profile claim update based on SharedProfileValueResolvingMethod  wso2-extensions/identity-organization-management#426
8. Add configuration to configure enable state and orderID for shared profile update governance listener carbon-identity-framework#6315
9. Add a util method to return isSharedUserProfileResolverEnabled wso2-extensions/identity-organization-management#430
10. Resolve shared user profile for JWT tokens and userinfo wso2-extensions/identity-inbound-auth-oauth#2688
11. Enable shared user profile update governance listener carbon-identity-framework#6353
12. Update claim change when old claims don't have value and updated claim set has empty value wso2-extensions/identity-inbound-provisioning-scim2#598

FE PRs:

Integration Tests:

• Integration Tests for Provide capability to update shared user profile and resolve the shared profile based on organization hierarchy feature #22426

Documentation:

• [DOC] Capability to update shared user profile and resolve the shared profile based on organization hierarchy #22475