Open billabongrob opened 8 months ago
so we do this in a maybe backwards way. in our okta, users have fields in their profile like department: "platform"
, team: "developer-experience"
which we use to populate UserEntity.spec.memberOf
in our userTransformer
. in our groupTransformer
we just set spec.children: []
. backstage stitches together the proper relationships behind the scenes.
i don't know if these fields are the default for an okta organization or if it's something custom to our org.
anyway, curious if you're asking for some new support in the provider to do this or just an example in the readme?
@zhammer I think an example in the README would be super helpful. In our org, members are directly added to groups with team
or department
not coming into the mix.
I'm almost thinking we'd need to use either something like:
user.listGroups()
to propagate UserEntity.spec.memberOf
or...
group.listUsers()
to propagate spec.children: []
to propagate this correctly, but I don't believe that functionality is implemented now?
hm i'm still a bit confused here. sorry for the delay on this as well. to clarify, does the user that comes from okta have some field that maps it to its group? then you can do something like
userTransformer = (user: OktaUser): UserEntity => {
return {
apiVersion: 'backstage.io/v1alpha1',
kind: 'User',
metadata: {
name: user.profile!.username!,
},
spec: {
profile: {
displayName: user.profile!.displayName!,
email: user.profile!.email!,
},
// here, user profile has a "group" field that has the name of their group, which matches the name of the group object returned by the okta groups api
memberOf: [user.profile!.group],
},
};
};
It's all good. Nature of the OSS community. The user does come from Okta; however, it is not coming with any groups in the profile response.
Right now, this plugin has consumed all users and groups for my organization; however, the membership to those groups is not being ingested at this point, based on the default configuration of the README for the plugin. It would be good to be able to associate this so as to leverage the built in backstage permissions model and RBAC that some others have made available.