DMHP
commented
3 months ago https://github.com/wso2/carbon-identity-framework/pull/5619 https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/2425 https://github.com/wso2-extensions/identity-organization-management/pull/357 https://github.com/wso2/identity-api-server/pull/604 https://github.com/wso2/identity-apps/pull/5922
There are two types of roles introduced from IS 7.0.0 onwards “application audience roles” and “organization audience roles”. The “organization-audience” roles serve the purpose of being reused across multiple applications. The main use case of the “organization audience roles” is when an omnichannel application that uses the same set of roles is configured in IS as different applications (web app and mobile app). In addition to the aforementioned points, in the B2B use case, the roles related to B2B applications’ intended role audience should be available in sub-organizations to assign roles to users/groups of sub-organizations. This facilitates effective management of entitlements within the system.
The implementation of IS-7.0.0 aligns with achieving the above two main use cases.
There the organization-audience roles needed to be explicitly associated with an application for role consumption in application authorization mainly targeting the use-case of B2B where the requirement is to share all roles or a set of roles within the organizations. However, we noticed that the necessity for explicit association of organization roles with applications will raise a user experience issue for B2E applications. Even though the role creation is one-time, the developer has to navigate through all the required applications and associate the role.
To address the user experience issue mentioned above, the modification will be to remove the necessity to associate organization audience roles with applications. Then if an application is expected to consume the organization's audience roles, all the organization-level created roles will be effective.