We need to create a new component responsible for handling the Altinn Access Groups
Altinn Access Groups will replace Altinn roles and will support a hierarchy with endless depth but in practice 2-3 levels.
AccessGroups can be mapped to external parents. Like ER roles.
Additional Information
The component would need to define API for the following
Define AccessGroup
List AccessGroups
Delegate AccessGroup(s) to a party or user
List AccessGroups membership. Both direct and indirect through external connections
List external Membership from external sources like ER.
Considerations
The AccessGroup component should support getting external roles and groups. We need to define some kind of standardized Service Interface for external group providers that make it easy to extend the sources of external groups. For every source, there will be a custom implementation.
Model
{
"accessGroupId":
}
API
List access group membership
This API list all groups that a given user/system/organizations is member of for a given party.
This API needs to consider inheritance from external roles/groups/membership registers. Like Enhetsregisteret.
The membership needs to include information about source of membership.
For performance reasons the consumer of API need to tell which external registry to include.
The component will also need to have default
Add Membership
It will be possible to add a user/system/org to a membership of an access group
Revoke Membership
Create/ Update Group
Export Access Groups
Used to
Import Access Groups
Tasks
[ ] Define datamodel
[ ] Define API
[ ] Define interface for external registers
[ ] Decide on authorization for API
Development Task
[ ] Create AccessGroups component
[ ] Setup PostgreSQL for authorization component
[ ] Create build and deploy pipeline
[ ] Create API for defining and updating Access Groups and Categories
[ ] Create API for listing AccessGroups a user has for a reportee
[ ] Setup Authentication and Authorization for API
[ ] Unit tests / Integration tests
[ ] K6 tests
Acceptance Criteria
It should be possible to define Category hierarchy trees to API
It should be possible to define AccessGroups to API and link to Categories
It should be possible to define ExternalRelationships for AccessGroups (External roles giving access to AccessGroups)
It should be possible to list all AccessGroups a user have for a reportee (through ER-roles, Altinn-roles and delegated group memberships both directly and through inheiritance)
Description
We need to create a new component responsible for handling the Altinn Access Groups
Altinn Access Groups will replace Altinn roles and will support a hierarchy with endless depth but in practice 2-3 levels.
AccessGroups can be mapped to external parents. Like ER roles.
Additional Information
The component would need to define API for the following
Considerations
The AccessGroup component should support getting external roles and groups. We need to define some kind of standardized Service Interface for external group providers that make it easy to extend the sources of external groups. For every source, there will be a custom implementation.
Model
API
List access group membership
This API list all groups that a given user/system/organizations is member of for a given party.
This API needs to consider inheritance from external roles/groups/membership registers. Like Enhetsregisteret.
The membership needs to include information about source of membership.
For performance reasons the consumer of API need to tell which external registry to include.
The component will also need to have default
Add Membership
It will be possible to add a user/system/org to a membership of an access group
Revoke Membership
Create/ Update Group
Export Access Groups
Used to
Import Access Groups
Tasks
Development Task
Acceptance Criteria