CERN: Lightweight accounts support

[labkode]

Accounts that they do not have a personal home space but can access (ro/ rw) any shared space (Project Spaces and Shares).

[labkode]

@dragotin

Not really CERN specific, guest accounts exist in OC10: https://owncloud.com/features/guest-users/#:~:text=The%20Guest%20User%20feature%20empowers,share%20additional%20files%20with%20it.

[butonic]

While the lightweight account code has been merged we plan to support guest accounts with roles. Currently, reva calls CreateHome for every user. We should only make the CreateHome call for accounts that should be autoprovisioned. For guests that is not the case. We can identify guests based on their role or the idp.

Anyway, even if the CreateHome call fails (eg because it already exists) the user is allowed to login. So guest / lightweight accounts should be able to login. The /graph/v1.0/me/drives endpoint will not list a personal space for them. The question is if the clients can deal with that. They should hide the UI for the users home space and not expect every user to have a personal space.

• [ ] web @kulmann
• [ ] desktop client @TheOneRing
• [ ] android client @abelgardep
• [ ] ios client @felix-schwarz
• [ ] ocdav service when using legacy /webdav url?

[kulmann]

What should the initial view of the files app be for web? Shares? At the moment web is not capable of dealing with no personal space being available, because the personal view is the default route of the files app.

[TheOneRing]

I'd expect the desktop client to work as expected.

[felix-schwarz]

The iOS client currently sees the personal space as just another space among many, so I'd expect this to just work.

[abelgardep]

The android client does not support spaces yet

[kulmann]

What should the initial view of the files app be for web? Shares? At the moment web is not capable of dealing with no personal space being available, because the personal view is the default route of the files app.

@labkode could you give a statement on this?

[labkode]

@kulmann this is what we give:

[kulmann]

@kulmann this is what we give:

Thanks, so the requirement is actually to just show a customizable welcome screen? No files related view needed as initial view, correct?

[labkode]

@kulmann correct, however access to Shares and Projects is still needed.

[kulmann]

@kulmann correct, however access to Shares and Projects is still needed.

Thats clear. Was just referring to the initial view :-)

[labkode]

Work in progress

[pmaier1]

This feature is on the roadmap for 2022 (after GA). It basically boils down to two parts a) A user invitation workflow (1. using integrated LDAP, 2. using external IDP provisioning API) b) A user role "Guest" that does incorporate the respective permission set (e.g., "owns a personal space")

[kulmann]

From my point of view we can treat the lightweight accounts like normal User-role users in ocis. Backend side we'd need to make sure that the lightweight accounts don't have a drive of type personal in the /me/drives response. If we can make that possible we can implement in web that the Personal nav item would be omitted and instead show a welcome page with customizable content (via theme.json).