Desired rights permissions

[phavekes]

This issue is imported from pivotal - Originaly created at Mar 4, 2024 by Thijs Kinkhorst

First line needs to be able to modify IdP\'s since they need to set e.g. whitelist entries or stepup config or change email address. If you can modify an IdP it does not make much sense to me to forbid create or delete of the IdP - if you want to do this you can just change (all) fields of an existing IdP.

There\'s now no role for the SP Dashboard such that it can only influence SP\'s.

For GUI:

• SYSTEM: everything on everything including AM (2e + 3e lijn support TPM)
• ADMIN: everything on everything except AM (1e lijn support + pm\'s etc)

For dashboards:

• SP Dashboard:

  • create SP/RP/RS,
  • edit SP/RP/RS (needed for secret reset, possibly more future selfservice changes)
  • create change requests
  • never set or change AM in any of the above

• IdP dashboard:

  • edit IdP (whitelist, stepup config, more future selfservice changes)
  • create change requests
  • never set or change AM in any of the above

[phavekes]

So I think this is the diff re current implemention:

• Change ADMIN to not forbid IdP create/delete anymore

• Add "WRITESP": can only CRUD SP/RP/RS (but never with AM changes)

• Add "CHANGEREQUESTSP": can only create/update change requests for SP/RP/RS

• Add "WRITEIDP", can only update IdPs (but never with AM changes) and create change requests.

• Add "CHANGEREQUESTIDP": can only create/update change requests for IDPs

  (Thijs Kinkhorst - Mar 4, 2024)

[phavekes]

See last comment. This is not yet implemented. (Okke Harsta - Mar 15, 2024)

[phavekes]

WRITE_SP does not allow deleting an SP. Since we do not allow deleting an SP for production, a separate DELETE_SP is the most finegrained solution (Bart Geesink - May 8, 2024)