Better Warning Message when Logged On User Has Empty Role.

[ianliuwk1019]

Describe the bug When logged on user has "Empty" role (no role at all), the user still can log in, but system pops up an Error toast message at Dashboard with message unclear to the user (You do not have the necessary authorization for the requested action).

• There is a consideration that in future, may require business decision to (1.) log user out if no role. (2.) allow logged on user with no role to view public information only and no error pops up; or (3.) if logged on user has no role, backend automatically assigned some kind of "public" role. (But for now, we only want to make the error message clear for the user).

• Require backend design discussion at ticket #820 for better Error handling at frontend (especially at http 403).

To Reproduce

1. Remove user roles if necessary (locally, probably manually remove them from local database)
2. Log on to FAM
3. When logged on, message will pops up (see screenshot).

Expected behavior

• A clear and concise error message for user related to empty role scenario.

Screenshots Private Zenhub Image

Additional context

• This only happens when user does not have any role.

[OlgaLiber2]

@ianliuwk1019 @gormless87

Business decision is: If someone does not have a role assigned in FAM they should not be able to log into FAM. When they enter their credentials (IDIR or BCeID) an error will display that they need a role assigned to be able to log into FAM.

[ianliuwk1019]

The page for entering credentials (IDIR/BCeID) isn't our app (it is Cognito's hosted UI) so we won't be able to display error on that page (not sure if it can be customed); we may be able to create our own sign-in page at FAM but that will be too much work just for this ticket.

Also, after entering credential, the authentication verification for the user happens on external IDP. It will be back to our FAM landing page. On arriving at the landing page, if we do not want user to login to FAM because the user does not have any role assigned, we could immediately sign the user out to the home page.

But to display an error message to let the user know they need a role assigned, the simplest option, probably is before the system sign the user out, FAM pop-up a confirm dialog to let the user know (and sign the user out either after the user confirm or close the dialog). We could possibly display the required a role message at the Home page but maybe it could be a little tricky I feel (but probably doable). @OlgaLiber2 @gormless87 @MCatherine1994

[OlgaLiber2]

@ianliuwk1019 that's what I was afraid of.. not being able to display a custom error message when it gets redirected to SSO Pathfinder.

I think it's ok then to let the user login and we display a message saying that they need to have a role assigned to take any action or view information on FAM. How does that sound @ianliuwk1019 ?

[ianliuwk1019]

I may prefer extra efforts for the option that to logout the user immediately and then display message that they need a role assigned, for better user experience. But, Yes, for now displaying message after user login sounds good (and logout the user after the user view the message) for this ticket for whoever works on this ticket.

[OlgaLiber2]

@ianliuwk1019 I don't think we need to log them out. Just let them log in, then display the message. All actions are disabled. That's it for now.

SPAR apparently has the same behaviour currently, @ianliuwk1019 @MCatherine1994 can you look at their prototypes? I'm hoping we can reuse their wording