[MAGNOLIA-8156] Sane security defaults to onboard users by simple assignment Created: 21/Aug/19  Updated: 23/Jan/24

Status: Selected
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Epic Priority: Major
Reporter: Mikaël Geljić Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: mpc
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MLEARN-20 Use the role-based memory neural netw... Closed
dependency
relation
is related to MGNLTEST-63 Provide users, groups and roles used ... Closed
supersession
supersedes MGNLDEMO-361 Eric can edit & publish while Peter i... Closed
supersedes MGNLWORKFLOW-397 editors group is missing permissions Closed
Template:
Epic Name: Sane Default Roles & Groups
Acceptance criteria:
[ ]* No need to decorate app descriptors.
[ ]* No need to add or copy from demo-modules.
[ ]* Basic roles grant appropriate JCR and web access for editors and publishers.
[ ]* New roles/groups are upgraded carefully (not to conflict w/ project entries), or are only applied to fresh installs.
[ ]* Sane defaults should be present even in the empty-webappp.
[ ]* Content Types become available to editors and publishers with no ceremony.
[ ]* DX Core features such as Personalization or Stories app are available to editors by default.
[ ]* (internal) Design for implementing personas in functional-tests easily.
[ ]* All dependencies are updated in cloud webapp
Date of First Response:

 Description   

As of Magnolia 6.2, onboarding new users typically requires project security setup boilerplate. Our goal is to provide sane defaults for user security, so that onboarding new editors or publishers is a simple assignment to a group or role. This holds true regardless of whether users are managed internally (JCR) or externally mapped via LDAP or SSO. Content-based or per-app permissions are out-of-scope.

In particular, here are several shortcomings:

  1. Projects need to define their own groups (in Security app or via bootstrapping), and guess which product roles to grant them.
  2. Workflow module provides two roles: editor and publisher. They only give permissions to a fixed set of semi-arbitrary workspaces: website, dam, category and contacts (!). No stories nor personalization’s segments for example.
  3. There is no default role, except superuser, giving web access to the Admincentral.
  4. Content Types only grant R/W access to the superuser role, upon autoCreate.


 Comments   
Comment by Mikaël Geljić [ 21/Aug/19 ]

One note: the publish action currently means two different things whether workflow is installed for an app or not.
With workflow: editors hit the publish actions (meaning start a publication request/workflow)
Without workflow: publishers hit the immediate publish action.

publisher role may come from publishing module too.

Comment by Anja von Gunten [ 20/Feb/20 ]

I would vote for User management but sgasa has been researching this topic. What would be the best name for the app?

Comment by Saimir Gasa [ 20/Feb/20 ]

IMHO, IAM (Identity and Access Management) would be the all-encompassing term for it. 

Comment by Simon Lutz [ 20/Feb/20 ]

If we change it, then simplification would be the goal.
User management makes most sense to me too.

Comment by Saimir Gasa [ 20/Feb/20 ]

Simply User Management would leave out the Access Management part out and would just not be accurate. But then again, it's been called 'Security' for so long and I don't know how/if it's been confusing at all.

Comment by Julie Legendre [ 25/Feb/20 ]

I second the IAM suggestion.

Comment by Martin Drápela [ 25/Feb/20 ]

1) I'd stay with Security. It's been there for a long time, everybody knows what to expect behind it. New users will understand quickly.

2) If you really want to change, I would vote for any of the following four (preference top > bottom):

a) Access Control
   (nice and short)

b) Access & Permissions
     derived from:    

c) Identity & Access

  after:
    

d) Identity Management
    (the official en-wiki page URL title is https://en.wikipedia.org/wiki/Identity_management )


IAM - would made me complain "OMG another abbreviation!"" and look around for what this might by Jove mean. Bit ambiguous, see https://en.wikipedia.org/wiki/IAM:  

Comment by Mikaël Geljić [ 18/Aug/21 ]

Repurposing this ticket as epic for the sane security defaults. Name of the Security app is out of scope - assignment may be done externally.

Generated at Mon Feb 12 04:30:09 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.