Comments (4)
I'm not sure if I understood what you mean by "It appears that if principals are managed through Roles or Groups on the provider's side, a process is triggered where tenants must apply and the provider must approve.". In the tenant/provider model we support, the provider doesn't really get to approve anything. The role is either delegated to the tenant or the tenant provides a group to be included in the role and neither one requires provider's approval.
Currently, there are no features planned where the provider can impose restrictions on role membership.
What kind of conditions were you referring to?
from athenz.
Currently, there are no features planned where the provider can impose restrictions on role membership.
Thank you for your response. I understand that there are no plans in place.
What kind of conditions were you referring to?
"It appears that if principals are managed through Roles or Groups on the provider's side, a process is triggered where tenants must apply and the provider must approve.".
I apologize for not being able to convey the information appropriately.
This is a requirement for our operational procedures.
The provider is looking to limit the principals to whom permissions are granted.
The provider intends to reduce the effort required for tenant verification by ensuring that only principals who adhere to pre-established rules can be added to the tenant's group.
from athenz.
If you're using the provider/tenant concepts as we have intended, then the provider delegates the role membership to the tenant and as such it has no control over what the tenant can include in the delegated role. The provider does not control the tenant's domain and as such it will never have the capability to impose restrictions on the delegated role.
So if the provider wants to impose restrictions it must be done within its own roles and not delegate the role to the tenant's domain.
But your requirement is still somewhat generic. What are some examples of the "pre-established rules"?
from athenz.
If you're using the provider/tenant concepts as we have intended, then the provider delegates the role membership to the tenant and as such it has no control over what the tenant can include in the delegated role. The provider does not control the tenant's domain and as such it will never have the capability to impose restrictions on the delegated role.
So if the provider wants to impose restrictions it must be done within its own roles and not delegate the role to the tenant's domain.
Thank you for your detailed response. I will convey this information to the users.
But your requirement is still somewhat generic. What are some examples of the "pre-established rules"?
For instance, we would like to impose restrictions such as preventing services from the user domain from being registered with roles, or allowing only services from CopperArgos to be registered with roles.
Thank you for your response. With your assistance, it seems that we will be able to provide an answer to the users.
I will proceed to close the ticket.
We appreciate your cooperation and look forward to continuing our collaboration.
I will proceed to close the ticket.
from athenz.
Related Issues (20)
- do not allow deletion of domain is it's associated with aws/gcp/azure
- review enabled roles/groups - role/group Review api does not force another admin approval
- Cannot update RoleMeta with blank SignAlgorithm HOT 4
- Does Athenz supports SAML ? HOT 1
- resource ownership in Athenz HOT 1
- questions regarding ZTS's readOnlyMode HOT 2
- No way to exit PolicyLoader
- Support spiffe trust domain in role certificates
- extend update_members action for role/group review api
- Question Regarding the Specifications of Principal Group HOT 2
- Provide support to enable/disable principals in Athenz
- Support simple domain based filtering for role/group principals.
- How should the Athenz jwk config be distributed? HOT 5
- Error logs output when loading JWS Policy HOT 2
- extend the logic to set the preferred expiry time for service certificates
- provide the capability for system admins to specify host/ssh cert signing key per domain
- option to reject id token request if all roles/groups are not authorized
- postSubDomain supports templates without params HOT 1
- Extend support for authority filter for roles/groups to skip unnecessary checks
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from athenz.