Default permission on external login

[olivierlambert]

We should be able to configure default permission on external login (eg LDAP, SAML…). Right now, the created user doesn't have any permissions.

It was asked to have "viewer" permission on everything. Maybe we could have a config in the TOML file with default permission for external users? (eg non, viewer, operator, admin).

[julien-f]

There are no viewer or operator permissions, only user and admin.

viewer and operator are ACL roles, I'm not sure how that could be implemented.

[olivierlambert]

I'll ask the people who request to see if admin is acceptable or not.

[julien-f]

It's a system admin, it gives access to backups, users management, XOA upgrade, etc.

[olivierlambert]

That might be OK to them. I'll summon them.

[julien-f]

@olivierlambert What's the answer on this?

[olivierlambert]

I need the requesters to come here to discuss more in depth. Ping @vgallissot

[vgallissot]

Hi there :wave: ! With SAML, we can pass some args as a payload, to the callback URL on XOA and depending of the incoming user, we can specify either read-only-user or admin.

For us, we would like:

1. a default read-only-user ACL, with allows any logged person to read only,
2. if the logged user has a specific role: Admin parameter in the SAML callback payload, then it can be granted role admin

The idea is to manage XOA admins directly from our SAML tool and not manually for each user on XOA.

Have I given you enough information?

[olivierlambert]

We'll do it in 3 steps:

1. Via the config file, allow to put all successfully authenticated used from an external source to be admin by default
2. Read the SAML/other output during connection to decide if admin or not
3. Automatically assign ACLs depending on SAML settings