Hi Denis, * ripedenis--- via db-wg
NWI-8 LIR´s SSO Authentication Groups
We agreed on this problem definition:
Problem Definition LIRs would like a mechanism to easily add/remove users to centralised SSO authentication groups for maintaining objects in the RIPE Database.
Do we agree on this (staged) solution definition? (Draft) Solution Definition
Stage 1
-Non billing Users listed in an LIR´s portal account, who have an SSO authentication account, will be contained in a default authentication group
There seems to be a underlying presumption here that it is possible to have users in the LIR Portal which do not have SSO accounts. To the best of my knowledge, this is not the case - users associated with an LIR in the LIR Portal *are* SSO (i.e., RIPE NCC Access) accounts. Therefore, the «who have an SSO authentication account» part is redundant.
-Non billing users added or removed through the portal UI, who have an SSO authentication account, will be automatically adjusted in this group
See above - «who have an SSO authentication account» is redundant.
-This authentication group can be referenced in MNTNER objects by a new authentication method
Given https://www.ripe.net/ripe/mail/archives/db-wg/2019-February/006167.html, perhaps rewrite this one as: «This authentication group can be referenced directly in mnt-*: attributes in database objects, or if that is not feasible, as a new authentication method in MNTNER objects.»
-These authentication groups for LIRs will be stored in a way that updates to the RIPE Database is not dependent on the availability of the portal service
OK
-(Non billing users who did not have an SSO authentication account who then create one, will be automatically adjusted in this group - NCC, is this feasable?)
See above - this bullet can be removed completely.
-(Non billing users who are listed in the LIR's authentication group who then delete their SSO authentication account, will be automatically adjusted in this group - NCC, is this feasable?)
See above - this bullet can be removed completely.
Stage 2
-Non billing Users listed in an LIR´s portal account, who have an SSO authentication account, can be added to and removed from user defined SSO authentication groups
See above - «who have an SSO authentication account» is redundant.
-Each User can be a member of any number of named groups
OK
-The authentication groups can be configured using the portal UI
OK
-These groups can be referenced in MNTNER objects by the new authentication method
See above - rewrite to something like «these groups can be referenced directly in mnt-*: attributes in database objects, or by the new authentication method in MNTNER objects crated during stage 1». Tore