[prev in list] [next in list] [prev in thread] [next in thread]
List: wsf-javascript-dev
Subject: Re: [Dev] [IS-5.3.0] User experience for self signed-up users in dashboard app in a default pack
From: Ayesha Dissanayaka <ayesha () wso2 ! com>
Date: 2016-11-29 14:40:03
Message-ID: CA+35JNhbJ9sSMjJ2cTJXZ9Kbx0TbzxAOqaDU1NBS-POYhmxZbg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi
Related to interacting with gadgets in dashboard app, I have evaluated the
operation level permissions required for logged in users in order to work
with gadgets properly. I have summarized services used, operations and
permissions required in [1]
Some of the service operations required advanced permissions than
*/permission/admin/login*, which is the only permission assigned for
self-signed up users.
Therefore self-signed users are unable to properly interact with following
gadgets,
- Account Recovery
- My Profile
- Associated Accounts
- Authorized Apps
By looking at the given information in [1] (marked in red), will it be OK
to change those permissions to */permission/admin/login, * and which
permissions should we keep as it is and assign to selfsignup role.
[1]
https://docs.google.com/a/wso2.com/spreadsheets/d/1DH8OWQ_VdA2xgPSjV-uEpj4tWpLDBxqQY2EO-xLL8T4/edit?usp=sharing
Thanks!
-Ayesha
On Thu, Oct 27, 2016 at 10:36 PM, Isura Karunaratne <isura@wso2.com> wrote:
> login permission is required for following gadgets
>
> - Update user profile : It uses UserProfileMgtService
> - Setting security questions : It uses UserIdentityManagementAdminSer
> vice
> - Change password : It uses UserIdentityManagementAdminService
> - Account association
> - Authorized Apps
> - Pending approvals (This is required some additional permission too)
>
> As you mentioned, we can remove authorization check in most of these
> gadgets.
>
> so, +1 to remove the login permission requirement from user portal. I
> will be good for user experience.
>
>
> Thanks
> Isura.
>
>
> *Isura Dilhara Karunaratne*
> Senior Software Engineer | WSO2
> Email: isura@wso2.com
> Mob : +94 772 254 810
> Blog : http://isurad.blogspot.com/
>
>
>
>
> On Thu, Oct 27, 2016 at 10:30 AM, Johann Nallathamby <johann@wso2.com>
> wrote:
>
> > Hi Isura,
> >
> > Why do we need "login" permission for user portal? Only workflow
> > approvals and user session termination we need some specific
> > permissions. Shall we remove the requirement to have "login" permission to
> > login to the user portal? I guess removing it from the portal might not be
> > enough. Services such as user profile, account association, authorized apps
> > also may need to be modified to check only for authentication.
> >
> > Wdyt?
> >
> > On Thu, Oct 27, 2016 at 8:50 PM, Ayesha Dissanayaka <ayesha@wso2.com>
> > wrote:
> >
> > >
> > > On Thu, Oct 27, 2016 at 6:56 PM, Johann Nallathamby <johann@wso2.com>
> > > wrote:
> > >
> > > > Why do we need to have login permission for "selfsignup" role. We don't
> > > > need to. "login" permission is to login to management console. We don't
> > > > expect self signup users to login to management console. They can only
> > > > login to dashboard, and for that we should not need "login" permission. Can
> > > > you check if dashboard functions without "login" permission.
> > >
> > >
> > > I tested removing 'login' permission from the "selfsignup" role and user
> > > is unable to login to dashboard app without 'login' permission.
> > >
> > > With below logs in console,
> > > [2016-10-27 20:47:17,346] ERROR {org.wso2.carbon.identity.auth
> > > enticator.saml2.sso.SAML2SSOAuthenticator} - Authentication Request is
> > > rejected. Authorization Failure.
> > > [2016-10-27 20:47:17,347] WARN {org.wso2.carbon.core.services
> > > .util.CarbonAuthenticationUtil} - Failed Administrator login attempt
> > > 'Ayesha[-1234]' at [2016-10-27 20:47:17,347+0530]
> > >
> > >
> > >
> > > --
> > > *Ayesha Dissanayaka*
> > > Software Engineer,
> > > WSO2, Inc : http://wso2.com
> > > <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
> > > 20, Palmgrove Avenue, Colombo 3
> > > E-Mail: ayesha@wso2.com <ayshsandu@gmail.com>
> > >
> >
> >
> >
> > --
> > Thanks & Regards,
> >
> > *Johann Dilantha Nallathamby*
> > Technical Lead & Product Lead of WSO2 Identity Server
> > Governance Technologies Team
> > WSO2, Inc.
> > lean.enterprise.middleware
> >
> > Mobile - *+94777776950*
> > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
> >
>
>
--
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com
<http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
20, Palmgrove Avenue, Colombo 3
E-Mail: ayesha@wso2.com <ayshsandu@gmail.com>
[Attachment #5 (text/html)]
<div dir="ltr"><div><div><div>Hi<br><br></div>Related to interacting with gadgets \
in dashboard app, I have evaluated the operation level permissions required
for logged in users in order to work with gadgets properly. I have
summarized services used, operations and permissions required in \
[1]<br><br></div><div>Some of the service operations required advanced permissions \
than <b>/permission/admin/login</b>, which is the only permission assigned for \
self-signed up users.<br></div><div>Therefore self-signed users are unable to \
properly interact with following gadgets,<br><ul><li>Account Recovery</li><li>My \
Profile</li><li>Associated Accounts</li><li>Authorized Apps</li></ul></div><div>By \
looking at the given information in [1] (marked in red), will it be OK to change \
those permissions to <b>/permission/admin/login, </b> and which permissions should \
we keep as it is and assign to <span \
style="color:rgb(17,17,17);font-family:"lucida grande","lucida \
sans","microsoft sans serif","lucida sans \
unicode",verdana,sans-serif,"trebuchet \
ms";font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;lette \
r-spacing:normal;line-height:15px;text-align:left;text-indent:0px;text-transform:none; \
white-space:normal;word-spacing:0px;display:inline;float:none;background-color:rgb(255,255,255)">selfsignup \
</span>role.<br><br></div><div>[1] <a \
href="https://docs.google.com/a/wso2.com/spreadsheets/d/1DH8OWQ_VdA2xgPSjV-uEpj4tWpLDB \
xqQY2EO-xLL8T4/edit?usp=sharing">https://docs.google.com/a/wso2.com/spreadsheets/d/1DH \
8OWQ_VdA2xgPSjV-uEpj4tWpLDBxqQY2EO-xLL8T4/edit?usp=sharing</a><br><br></div>Thanks!<br></div>-Ayesha</div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 27, 2016 at 10:36 PM, \
Isura Karunaratne <span dir="ltr"><<a href="mailto:isura@wso2.com" \
target="_blank">isura@wso2.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"> login permission is required for following \
gadgets<div><ul><li>Update user profile : It uses \
UserProfileMgtService</li><li>Setting security questions : It uses \
UserIdentityManagementAdminSer<wbr>vice</li><li>Change password : It uses \
UserIdentityManagementAdminSer<wbr>vice</li><li>Account \
association</li><li>Authorized Apps</li><li>Pending approvals (This is required some \
additional permission too)</li></ul><div>As you mentioned, we can remove \
authorization check in most of these gadgets. </div><div><br></div><div>so, +1 to \
remove<span style="font-size:12.8px"> the login permission requirement from user \
portal. I will be good for user experience. \
</span></div></div><div><br></div><div><br></div><div>Thanks</div><span \
class="HOEnZb"><font color="#888888"><div>Isura. </div></font></span><div \
class="gmail_extra"><span class=""><br clear="all"><div><div \
class="m_-1681682846229059736m_6433422043100509007gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><div><b>Isura Dilhara Karunaratne<br></b></div><font \
color="#666666"><font style="background-color:rgb(255,255,255)">Senior Software \
Engineer | WSO2</font></font></div><div><div dir="ltr" \
style="font-size:12.8px"><div><font color="#666666">Email: <a \
href="mailto:isura@wso2.com" target="_blank">isura@wso2.com</a></font></div><font \
color="#666666">Mob : <a href="tel:%2B94%20772%20254%20810" value="+94772254810" \
target="_blank">+94 772 254 810</a></font></div><div dir="ltr" \
style="font-size:12.8px"><font color="#666666">Blog : <a \
href="http://isurad.blogspot.com/" \
target="_blank">http://isurad.blogspot.com/</a></font></div><div dir="ltr" \
style="font-size:12.8px"><br></div><font \
color="#666666"><br></font></div><div><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br></span><div><div class="h5"><div class="gmail_quote">On Thu, Oct 27, 2016 at \
10:30 AM, Johann Nallathamby <span dir="ltr"><<a href="mailto:johann@wso2.com" \
target="_blank">johann@wso2.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Hi Isura,<div><br></div><div>Why do we need \
"login" permission for user portal? Only workflow approvals and user \
session termination we need some specific permissions. Shall we remove the \
requirement to have "login" permission to login to the user portal? I guess \
removing it from the portal might not be enough. Services such as user profile, \
account association, authorized apps also may need to be modified to check only for \
authentication.</div><div><br></div><div>Wdyt?</div></div><div \
class="gmail_extra"><div><div \
class="m_-1681682846229059736m_6433422043100509007h5"><br><div class="gmail_quote">On \
Thu, Oct 27, 2016 at 8:50 PM, Ayesha Dissanayaka <span dir="ltr"><<a \
href="mailto:ayesha@wso2.com" target="_blank">ayesha@wso2.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"><div dir="ltr"><span><div class="gmail_extra"><br><div \
class="gmail_quote">On Thu, Oct 27, 2016 at 6:56 PM, Johann Nallathamby <span \
dir="ltr"><<a href="mailto:johann@wso2.com" \
target="_blank">johann@wso2.com</a>></span> wrote:<br><blockquote \
style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex" class="gmail_quote">Why do we need to have login \
permission for "selfsignup" role. We don't need to. "login" \
permission is to login to management console. We don't expect self signup users \
to login to management console. They can only login to dashboard, and for that we \
should not need "login" permission. Can you check if dashboard functions \
without "login" permission.</blockquote></div><br></div></span><div \
class="gmail_extra">I tested removing 'login' permission from the \
"selfsignup" role and user is unable to login to dashboard app without \
'login' permission.<br></div><div class="gmail_extra"><br></div><div \
class="gmail_extra">With below logs in console,<br clear="all"></div><div \
class="gmail_extra"><div style="margin-left:40px">[2016-10-27 20:47:17,346] ERROR \
{org.wso2.carbon.identity.auth<wbr>enticator.saml2.sso.SAML2SSOAu<wbr>thenticator} - \
Authentication Request is rejected. Authorization Failure.<br>[2016-10-27 \
20:47:17,347] WARN \
{org.wso2.carbon.core.services<wbr>.util.CarbonAuthenticationUtil<wbr>} - Failed \
Administrator login attempt 'Ayesha[-1234]' at [2016-10-27 \
20:47:17,347+0530]<br></div><span><br><br><br>-- <br><div \
class="m_-1681682846229059736m_6433422043100509007m_-3872214719787856580m_8868720371349385149gmail_signature"><div><b \
style="font-size:9pt;line-height:17px;font-family:arial,sans-serif;background-color:rgb(255,255,255)"><font \
color="#000066">Ayesha Dissanayaka</font></b><br><div><div \
style="font-family:arial,sans-serif;font-size:12.7273px;background-color:rgb(255,255,255)"><div><span \
style="color:rgb(32,18,77)"><span \
style="font-family:arial,sans-serif;font-size:10.9091px;line-height:15px">Software \
Engineer,</span></span><font color="#ff9900"><span \
style="font-family:arial,sans-serif;font-size:10.9091px;line-height:15px"><br><span \
style="color:rgb(7,55,99)">WSO2, Inc : </span></span></font><span \
style="color:rgb(7,55,99)"><span \
style="font-family:arial,sans-serif;font-size:10.9091px;line-height:15px"><a \
dir="ltr" href="http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg" \
rel="nofollow noreferrer" target="_blank">http://wso2.com</a><br>20, Palmgrove \
Avenue, Colombo 3</span></span></div><div style="font-size:13px"><span \
style="color:rgb(7,55,99)"><font face="Arial, sans-serif"><span \
style="font-size:11px;line-height:15px">E-Mail: <a href="mailto:ayshsandu@gmail.com" \
target="_blank">ayesha@wso2.com</a><br></span></font></span></div></div></div></div></div>
</span></div></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span>-- <br><div \
class="m_-1681682846229059736m_6433422043100509007m_-3872214719787856580gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div \
dir="ltr"><div><span style="background-color:rgb(255,255,255)"><font \
color="#000000">Thanks & Regards,</font></span></div><div><span \
style="background-color:rgb(255,255,255)"><font \
color="#000000"><br></font></span></div><b>Johann<font color="#666666"> Dilantha \
Nallathamby</font></b><br><div><font color="#999999">Technical Lead & Product \
Lead of WSO2 Identity Server</font></div><div><font color="#999999">Governance \
Technologies Team</font></div><div><font color="#999999">WSO2, \
Inc.</font></div><div><font \
color="#999999">lean.enterprise.middleware</font></div><div \
style="color:rgb(136,136,136)"><br></div><div><font color="#999999">Mobile - <a \
value="+94773426635"><i>+94777776950</i></a></font></div><div><font \
color="#999999">Blog - <i><a href="http://nallaa.wordpress.com" \
target="_blank">http://nallaa.wordpress.com</a></i></font></div></div></div></div></div></div></div>
</span></div>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr"><b \
style="font-size:9pt;line-height:17px;font-family:Arial,sans-serif;background-color:rgb(255,255,255)"><font \
color="#000066">Ayesha Dissanayaka</font></b><br><div><div \
style="font-family:arial,sans-serif;font-size:12.727272033691406px;background-color:rgb(255,255,255)"><div><span \
style="color:rgb(32,18,77)"><span \
style="font-family:Arial,sans-serif;font-size:10.909090995788574px;line-height:15px">Software \
Engineer,</span></span><font color="#ff9900"><span \
style="font-family:Arial,sans-serif;font-size:10.909090995788574px;line-height:15px"><br><span \
style="color:rgb(7,55,99)">WSO2, Inc : </span></span></font><span \
style="color:rgb(7,55,99)"><span \
style="font-family:Arial,sans-serif;font-size:10.909090995788574px;line-height:15px"><a \
rel="nofollow noreferrer" \
href="http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg" \
dir="ltr" target="_blank">http://wso2.com</a><br>20, Palmgrove Avenue, Colombo \
3</span></span></div><div style="font-size:13px"><span \
style="color:rgb(7,55,99)"><font face="Arial, sans-serif"><span \
style="font-size:11px;line-height:15px">E-Mail: <a href="mailto:ayshsandu@gmail.com" \
target="_blank">ayesha@wso2.com</a><br></span></font></span></div></div></div></div></div>
</div>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic