Comments (2)
We've had some time to think through a design approach for implementing this feature, and observed that with the current AWS SSO admin and identity store API's that are available , we won't be able to implement this feature 100% . As we do not want to have an incomplete feature rolled out in the solution, we've decided to park this feature request until AWS SSO updated their API specifications.
Details around the design limitation are described below:
- The current AWS SSO Identity Store's List Users and List Groups do not allow a wild card based call. These API's expect the
filters
element in the payload to specify an attribute value. - Additionally, AWS SSO admin API's account assignment operations require the GUID of the user/group the permission set is being assigned to as part of the API's payload.
- In our solution with the current design, we have event bridge rules that listen on SSO group events (for local identity store, SCIM, and Active Directory based sources) that allow us to persist the mapping between friendly names and the GUID's of the user groups. This allowed us to provide enterprise friendly account assignment operations as a solution feature
- However, when we looked at importing existing AWS SSO configuration into the solution to enable customers to use our solution and manage their access entitlements created outside of the solution, we've noticed that there's no programmatic way for us to get hold of existing groups that were created prior to the solution's deployment, which meant that we won't be able to offer a way for you to manage your access entitlements using user groups created prior to the solution deployment.
- Therefore, we've decided to park this feature until AWS SSO Identity store API allows a wild card based search on the List Users and List Groups API operations. Or, alternatively allow a way to discover existing users/groups in the AWS SSO configuration.
from aws-iam-identity-center-extensions.
We've now worked out a mechanism to handle this feature. Instead of persisting user name - user id and group display name - group id mappings, the solution will now dynamically do the lookup for this value and will therefore not need a list API to get this information.
from aws-iam-identity-center-extensions.
Related Issues (20)
- Update Deprecated Lambda Runtimes nodejs 12.x HOT 1
- Workshop updates HOT 1
- Unhandled exceptions when upgrading to 3.1.7 HOT 8
- Permission sets aren't provisioning in 3.1.7 HOT 3
- Unable to deploy 3.1.7
- Permission set doesn't update despite all good signs
- Trio of exception emails when uploading new permission sets
- Restricting creating Permission Sets without attaching the Permission Boundary for the same. HOT 1
- yarn install doesn't work HOT 1
- "User is missing the following permissions" error when trying to region switch HOT 1
- 3.2.0 introduces resource update behaviour bugs for IAM roles HOT 1
- Permission set schema doesn't handle NotAction and NotResource HOT 6
- ThrottlingException HOT 6
- Account provisioning does not work for tripple nested OUs HOT 4
- Permission sets failing to create with no SNS error HOT 9
- Option to make APIs / S3 uploads "always update" the solution HOT 2
- Space in group or user name should raise error
- Add customer managed policy and permission boundaries HOT 2
- Typo in Json Schema HOT 3
- AWS SSO renamed to AWS IAM Identity Center HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-iam-identity-center-extensions.