slifty
commented
5 months ago We're currently planning to NOT model PDC-level concepts in keycloak (for instance: users associated with grantee / grantor organizations). Instead, keycloak will be responsible for signaling the user identifier and the user's role (e.g. pdc-admin)
Given that, I'm going to close this issue!
In order to "Add authorization" #255 to the existing authentication scheme, more than a user with a JWT is required. Roles or groups will be needed to be modeled at least in Keycloak and likely also in our schema. In other words, when a request carries a JWT, the service (this repo) needs to be able to see whether to grant access to particular records based on the contents of that JWT and the contents of requested data in the PDC database.
Key considerations include:
Additionally, the modeling of groups both in Keycloak and the PDC schema should account for potentially related (draft) user stories.
* As Gem, I want to build an integration to push data into the PDC. * As Gem, I want to build an integration to pull data from the PDC. * As Gem, I want to read (from the PDC) an ChangeMaker's PDC-inclusion permissions. * As Nina / Grace, I want to be alerted when data related to my proposals or organization have been imported, changed, or updated. * As Gem / Deepak I want to be able to authenticate my application with the PDC using secrets that do not expire / don't need to be updated on any regular basis. * As Nina, I want to be able see data that relates to my organization in the PDC, so I understand what data about my organization and proposals is present in the PDC at any time. * As Nina, I want to claim data in the PDC as "mine". * As Nina, I want to be able to proactively decide/indicate whether or not my data is *ever* incorporated into to the PDC. * As Nina, I want to be able to decide on a case by case basis the circumstances / instances in which my data is incorporated into to the PDC. (Separate from a "global" policy.) * As Nina, I want to be able to decide on a predefined RULE basis the circumstances / instances in which my data is incorporated into to the PDC. (e.g. "include data from Charity Navigator, and from proposals to Foo Foundation, but not from proposals to Bar Foundation") * As Nina, I want control over sharing/visibility of my data that is in PDC. * As Nina, I want to be able correct data that relates to my organization in the PDC. * As Nina, I want to be able redact data that relates to my organization in the PDC. * As Nina, I want to be able delete data that relates to my organization in the PDC. * As Nina, I want to be able to indicate which users belong to my organization and should have permissions to maintain my organization's data. * As Grace, I want to be able to see how the proposal I have submitted to a foundation was registered in the PDC. * As Grace, I want to be able to make corrections to mistakes in the PDC that I see associated with any proposals I have submitted. * As Grace, I want to find proposals similar to mine so I can compare funding outcomes. * As Grace, I want to see information about an organization that has been funded, including data from multiple proposals and from data aggregators, so that I can evaluate the organization for new grants. * As Marty, I want evidence that org data is accessible only by authorized people or machines for auditing/compliance. * As Kathryn, I want to see the proposals I sent to the PDC in the PDC to know that the PDC is working and able to accurately show my foundation's data. * As Kathryn, I want to be able to add a new opportunity to the PDC. * As Kathryn, I want to be able to modify the fields associated with an opportunity over time. * As Kathryn, I want to be able to associate specific "application forms" to my opportunity which represent the various forms that my applicants have to submit in order to be considered for a grant. * As Addy, I want to see what other changemakers are working with changemakers who are working in areas of interest to me? (Networks between changemakers.)