Wiki source code of Managing Authorizations
Last modified by chaney08 on 2021/07/20 19:58
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | IAM can be used to manage authorization within EBRAINS in the following way. | ||
| 2 | |||
| 3 | EBRAINS services (including the Collaboratory's wiki, drive and lab services) have specific features which are not systematically accessible to all users. Such features can typically grouped into two types: | ||
| 4 | |||
| 5 | * the authorization to perform a specific action | ||
| 6 | * the authorization to consume more resources than others | ||
| 7 | |||
| 8 | Roles in IAM are implemented as simple labels. A role can be attached directly to a user or a group or a unit, thereby granting that role respectively to that user, or to all the users part of that group and its sub-groups/sub-units, or to all the users part of that unit and its sub-units. | ||
| 9 | |||
| 10 | An EBRAINS service is represented in IAM by its authentication client, or OIDC client. | ||
| 11 | |||
| 12 | Attaching a role to an OIDC client indicates that this client will take that role into account. Attaching the role to a user (directly or via a Unit or Group) gives that user the corresponding authorization. | ||
| 13 | |||
| 14 | == __Public roles__ == | ||
| 15 | |||
| 16 | Some roles are public, i.e. all OIDC client applications have the possibility of viewing whether a given user has the role. Other roles are private, i.e. only applications having that attached role have the possibility of viewing whether a given user has the role. | ||
| 17 | |||
| 18 | ==== In all services ==== | ||
| 19 | |||
| 20 | **feature:authenticate: **This role allows a user that has the role to be authenticated by an OIDC client that is linked to the role. | ||
| 21 | |||
| 22 | An OIDC client application without the role allows any EBRAINS user account to authenticate to that app. | ||
| 23 | |||
| 24 | An OIDC client application with the role is only accessible to EBRAINS user accounts with that role. | ||
| 25 | |||
| 26 | ==== In the Collaboratory.wiki service ("xwiki") ==== | ||
| 27 | |||
| 28 | **feature:create_app: **This role allows the user to create an App Within Minutes in Collaboratory.wiki. | ||
| 29 | |||
| 30 | ==== In the Collaboratory service Group ("group") ==== | ||
| 31 | |||
| 32 | **feature:create_group: **This role allows the user to create a Group in IAM. | ||
| 33 | |||
| 34 | == __How your OIDC client app can check a user's roles__ == | ||
| 35 | |||
| 36 | In order to identify the roles of a given user, an OIDC client application can fetch the user's token and access the userinfo API endpoint. See the [[documentation>>doc:Collabs.the-collaboratory.Documentation IAM.FAQ.OIDC Clients explained.Authenticating with your OIDC client and fetching collab user info.WebHome]] and a [[sample notebook>>doc:Collabs.the-collaboratory.Documentation IAM.FAQ.Accessing remote services with OAuth example]] to access a user's userinfo. | ||
| 37 | |||
| 38 | == __How to add a role for and/or to your OIDC client app__ == | ||
| 39 | |||
| 40 | Contact [[support>>url:https://ebrains.eu/support]] to add an existing role for your service or to add a new role specifically to your service. Mention the words "IAM role" in your request to the Collaboratory service. | ||
| 41 | |||
| 42 | (% class="wikigeneratedid" id="HH4Won27tAppearinToC" %) | ||
| 43 |