search

canonical / identity-platform-admin-ui

Admin UI for the Canonical identity broker and identity provider solution
Other
6 stars 4 forks source link

Add basic entitlements to `privileged` OpenFGA user to allow real administrator/superuser privileges on all resources #282

Closed BarcoMasile closed 4 weeks ago

BarcoMasile commented 5 months ago

When creating the authorization model in OpenFGA, populate the store with the following tuples to allow a newly run instance of admin ui to work without additional setup needed in OpenFGA. This allows to have a "super user" from the get go.

  - user: privileged:superuser
    relation: privileged
    object: provider:global
  - user: privileged:superuser
    relation: privileged
    object: role:global
  - user: privileged:superuser
    relation: privileged
    object: group:global
  - user: privileged:superuser
    relation: privileged
    object: client:global
  - user: privileged:superuser
    relation: privileged
    object: identity:global
  - user: privileged:superuser
    relation: privileged
    object: scheme:global
syncronize-issues-to-jira[bot] commented 5 months ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-846.

This message was autogenerated

nsklikas commented 4 weeks ago

I think that this was implemented by https://github.com/canonical/identity-platform-admin-ui/pull/370 and https://github.com/canonical/identity-platform-admin-ui/pull/339, can we close it @BarcoMasile?

BarcoMasile commented 4 weeks ago

Yes, thank you!