[OAK-9799] Optional validator to mark external users/groups as protected - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.44.0
Component/s: auth-external
Labels:
None

Description

when synchronizing external identities into the oak repository the users/groups are marked with a rep:externalId property but are otherwise accessible through the repository's user management API.
today this means that synced external identities can be modified like local users/groups if the editing session has sufficient permission to do so.

the aim of the improvement request is to optionally mark synced identities as 'protected' which would only allow system internal tasks (i.e. update upon re-sync) to write those external users/groups but prevent updates of properties or member information through regular JCR sessions. to discuss if removal of these external users should still be permitted.

cc: insuafer as we discussed this improvement in a private conversation.

Attachments

Issue Links

is related to

OAK-9902 Configuration for ExternalUserValidator

Closed

OAK-9803 Extend DynamicSyncHandler to allow for dynamic groups

Closed

requires

OAK-9812 TokenConfigurationImpl does not define Context

Closed

links to

GitHub Pull Request #604

Activity

People

Assignee:: Angela Schreiber

Reporter:: Angela Schreiber

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 10/Jun/22 12:48

Updated:: 16/Aug/22 15:15

Resolved:: 27/Jun/22 14:16