Closed djdgtls closed 6 months ago
BlackbitDevs
commented
1 year ago I think it would be even better if we just change behaviour so that the AAD groups do get created as Pimcore roles ;-) Otherwise you would have to create them manually - which is prone to typos.
So we will change behaviour - and of course document this ;-)
BlackbitDevs
commented
1 year ago Added to 1.0.5 that non-existing roles automatically get created.
The documentation (now also in Readme.md):
Mapping Authentication provider data to Pimcore user
You can map the fields which get provided by the configured authentication providers to update the corresponding Pimcore user's account data, for example to keep email address up-to-date or to assign roles.
Role mapping
Mapped
Groups / Roleswill automatically be assigned as roles to the just logged-in user. Non-existing roles will automatically get created (at first without any permissions).In addition you can configure
Default roles. These roles will automatically be assigned to newly created users. They do not get applied to already existing users.
Maybe you can give it a try and give some feedback...
djdgtls
commented
1 year ago Thanks for the quick update. We tested this and this is fine for our required functionality.
Here are some points that might be good to add to the docs:
here are the docs for Azure AD for the app roles: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
do not forget to change the claim "groups" into "roles" in Pimcore in the field "Groups / Roles"
Pimcore Roles will only be created and assigned, not unassigned or deleted by AAD changes
BlackbitDevs
commented
6 months ago
Currently it is not obvious how the role assignment works. Please add documentation for this.
In our current implementation the assumption was that the AAD groups would be created as Pimcore roles and the users assigned to the respective roles. But roles do not get automatically created or exisitng ones assigned.