[FOLIO-2551] SPIKE: System and Tenant Level Users - Requirements Created: 01/Apr/20  Updated: 29/Jul/21  Resolved: 29/Jul/21

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: Craig McNally Assignee: Mikhail Fokanov
Resolution: Done Votes: 0
Labels: R3
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to RMB-747 Spike: Allow users to authenticate w... Open
relates to FOLIO-1935 Service creating ROLE and SCHEMA on t... Draft
relates to RMB-743 Add preserveMetadata query parameter ... Draft
relates to FOLIO-1786 SPIKE: evaluate "init" tokens as a w... Draft
relates to EDGINREACH-2 Provide "Third Party" OAuth2 Token En... Closed
relates to MODOAIPMH-243 update edge module institutional user... Closed
relates to MODINREACH-72 Prepare institutional user for the ED... Draft
Sprint: CP: sprint 119, CP: sprint 117, CP: sprint 118
Story Points: 5
Development Team: Core: Platform

 Description   

Overview

The topic of system and tenant level users has come up a few times in various contexts. This investigation is to gather requirements and use cases in a single place.

  • Edge APIs use "institutional users". These are essentially tenant-level users
    • For now provisioning of these users must be done manually, including granting permissions, etc.
    • The login credentials for these institutional users must be stored in a secret store where the edge API can access them.
  • FOLIO-1781 Closed discusses the need/desire for system or tenant-level users in the context of record metadata.
    • If the system creates/modifies a record and there is no user context, what should be used in the record metadata?
      • Loading sample/reference data when enabling a module for a tenant
      • mod-pub-sub
      • TBD
  • Most recently, there were discussions about system user used by certain modules, for example mod-search and mod-pubsub. See discussion of this PR

Link to the description of the possible approaches: https://folio-org.atlassian.net/wiki/display/~mikhail.fokanov/Module+users+in+Folio



 Comments   
Comment by Kruthi Vuppala [ 27/Oct/20 ]

Might also be worthwhile to discuss admin users with requirements to

  • Have their own permission sets that are not editable by other users
  • Have their own patron groups, that cannot be edited by other users
Comment by Jakub Skoczen [ 12/Apr/21 ]

Craig McNally is Vasily Gancharov acively working on this? If not, I'd like to re-assign to the Platform team.

Comment by Hanna Hulevich [ 19/Apr/21 ]

Jakub Skoczen we discussed and think this priority need to be increased. This looks like a very Hight priority security issue

Comment by Marc Johnson [ 19/Apr/21 ]

Hanna Hulevich

This looks like a very high priority security issue

Why is it a very high priority security issue, the description does not refer to security at all?

Comment by Craig McNally [ 19/Apr/21 ]

Jakub Skoczen I don't think Vasily is on the project anymore.

Marc Johnson I don't think this is a security issue in and of itself, but not having this functionality leads developers down paths which often end in security issues. MODPUBSUB-78 Closed for example.

Comment by Hanna Hulevich [ 17/May/21 ]

Hi Raman Auramau I was told you are working on this. Could you please clarify if this done or not and probably we need reassign this from Core Platform? 
CC Jakub Skoczen

Comment by Raman Auramau [ 20/May/21 ]

Hi Hanna Hulevich - Frankly I'm not quite catching up on what this is about.
Is this about work with secrets? If so, than one of my current activities is really connected to secrets management proposal though it does not seem to be related to System and Tenant Level Users topic.

Comment by Hanna Hulevich [ 20/May/21 ]

Hi Raman Auramau,
I was told by Mikhail Fokanov that you are working on it and this ticket should be assigned to you. Mikhail Fokanov could you please clarify? Thank you in advance!

Comment by Raman Auramau [ 14/Jun/21 ]

I'm making the ticket unassigned as for now since I'm not working on it and actually is not aware about the context. Potentially I can take a look some time but currently have no capacity for that.

Generated at Thu Feb 08 23:21:29 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.