Are there any plans to implement a mechanism to restrict the principals to be added to a group of tenants based on specific conditions? about athenz HOT 4 CLOSED

I'm not sure if I understood what you mean by "It appears that if principals are managed through Roles or Groups on the provider's side, a process is triggered where tenants must apply and the provider must approve.". In the tenant/provider model we support, the provider doesn't really get to approve anything. The role is either delegated to the tenant or the tenant provides a group to be included in the role and neither one requires provider's approval.

Currently, there are no features planned where the provider can impose restrictions on role membership.

What kind of conditions were you referring to?

from athenz.

Currently, there are no features planned where the provider can impose restrictions on role membership.

Thank you for your response. I understand that there are no plans in place.

What kind of conditions were you referring to?
"It appears that if principals are managed through Roles or Groups on the provider's side, a process is triggered where tenants must apply and the provider must approve.".

I apologize for not being able to convey the information appropriately.
This is a requirement for our operational procedures.

The provider is looking to limit the principals to whom permissions are granted.
The provider intends to reduce the effort required for tenant verification by ensuring that only principals who adhere to pre-established rules can be added to the tenant's group.

from athenz.

If you're using the provider/tenant concepts as we have intended, then the provider delegates the role membership to the tenant and as such it has no control over what the tenant can include in the delegated role. The provider does not control the tenant's domain and as such it will never have the capability to impose restrictions on the delegated role.

So if the provider wants to impose restrictions it must be done within its own roles and not delegate the role to the tenant's domain.

But your requirement is still somewhat generic. What are some examples of the "pre-established rules"?

from athenz.

If you're using the provider/tenant concepts as we have intended, then the provider delegates the role membership to the tenant and as such it has no control over what the tenant can include in the delegated role. The provider does not control the tenant's domain and as such it will never have the capability to impose restrictions on the delegated role.

So if the provider wants to impose restrictions it must be done within its own roles and not delegate the role to the tenant's domain.

Thank you for your detailed response. I will convey this information to the users.

But your requirement is still somewhat generic. What are some examples of the "pre-established rules"?

For instance, we would like to impose restrictions such as preventing services from the user domain from being registered with roles, or allowing only services from CopperArgos to be registered with roles.

Thank you for your response. With your assistance, it seems that we will be able to provide an answer to the users.
I will proceed to close the ticket.
We appreciate your cooperation and look forward to continuing our collaboration.
I will proceed to close the ticket.

from athenz.