[MAGNOLIA-8156] Sane security defaults to onboard users by simple assignment Created: 21/Aug/19 Updated: 23/Jan/24 |
|
| Status: | Selected |
| Project: | Magnolia |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Epic | Priority: | Major |
| Reporter: | Mikaël Geljić | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | mpc | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||
| Template: |
|
||||||||||||||||||||||||||||||||
| Epic Name: | Sane Default Roles & Groups | ||||||||||||||||||||||||||||||||
| Acceptance criteria: |
[ ]*
No need to decorate app descriptors.
[ ]*
No need to add or copy from demo-modules.
[ ]*
Basic roles grant appropriate JCR and web access for editors and publishers.
[ ]*
New roles/groups are upgraded carefully (not to conflict w/ project entries), or are only applied to fresh installs.
[ ]*
Sane defaults should be present even in the empty-webappp.
[ ]*
Content Types become available to editors and publishers with no ceremony.
[ ]*
DX Core features such as Personalization or Stories app are available to editors by default.
[ ]*
(internal) Design for implementing personas in functional-tests easily.
[ ]*
All dependencies are updated in cloud webapp
|
||||||||||||||||||||||||||||||||
| Date of First Response: | |||||||||||||||||||||||||||||||||
| Description |
|
As of Magnolia 6.2, onboarding new users typically requires project security setup boilerplate. Our goal is to provide sane defaults for user security, so that onboarding new editors or publishers is a simple assignment to a group or role. This holds true regardless of whether users are managed internally (JCR) or externally mapped via LDAP or SSO. Content-based or per-app permissions are out-of-scope. In particular, here are several shortcomings:
|
| Comments |
| Comment by Mikaël Geljić [ 21/Aug/19 ] |
|
One note: the publish action currently means two different things whether workflow is installed for an app or not. publisher role may come from publishing module too. |
| Comment by Anja von Gunten [ 20/Feb/20 ] |
|
I would vote for User management but sgasa has been researching this topic. What would be the best name for the app? |
| Comment by Saimir Gasa [ 20/Feb/20 ] |
|
IMHO, IAM (Identity and Access Management) would be the all-encompassing term for it. |
| Comment by Simon Lutz [ 20/Feb/20 ] |
|
If we change it, then simplification would be the goal. |
| Comment by Saimir Gasa [ 20/Feb/20 ] |
|
Simply User Management would leave out the Access Management part out and would just not be accurate. But then again, it's been called 'Security' for so long and I don't know how/if it's been confusing at all. |
| Comment by Julie Legendre [ 25/Feb/20 ] |
|
I second the IAM suggestion. |
| Comment by Martin Drápela [ 25/Feb/20 ] |
|
1) I'd stay with Security. It's been there for a long time, everybody knows what to expect behind it. New users will understand quickly. 2) If you really want to change, I would vote for any of the following four (preference top > bottom): a) Access Control b) Access & Permissions c) Identity & Access after: d) Identity Management IAM - would made me complain "OMG another abbreviation!"" and look around for what this might by Jove mean. Bit ambiguous, see https://en.wikipedia.org/wiki/IAM: |
| Comment by Mikaël Geljić [ 18/Aug/21 ] |
|
Repurposing this ticket as epic for the sane security defaults. Name of the Security app is out of scope |