External Permissions
External Permissions are permissions which do not control access to anything in the TIS system, but instead give access to external functions, defined by the apps and services which read them. TIS is used to store metadata of the permissions, the knowledge of who has which external permission, and to grant and revoke those permissions through APIs and user interfaces.
Defining External Permissions
External Permissions are organised into External Permission Groups. Every permission under one group is managed by the same people, and visible to the same clients and apps. Your application probably will need only one or few permission groups to cover the use cases. You should create a new permission group only if the permissions have different management or visibility requirements.
Creating new External Permission Groups requires a built-in permission “Manage External Permissions”.
Create a new External Permission Group. Configure
-
who can manage the group and permissions under it (with read or read+write access),
-
who can grant and revoke those permissions, and
-
which clients can view these permissions.
Then create External Permissions to the group. You can specify an external ID which is a code you might use in your application and which is provided via external permission query APIs.
Permission management with management console
Open the External Permissions view from the main menu. In the table view you will see the permission groups you have at least read access to. You can create, edit, and remove permission groups and permissions within them.
Permission management with API
TODO
Granting and revoking external permissions
TODO / Requirements for granting and revoking
With management console
Open the Accounts view. Select an user. Select “External permissions” from the Actions menu. A dialog will open showing the user’s external permissions, together with options to revoke or grant more permissions.
With Management API
TODO
Querying user’s external permissions
When querying as an user, the calling user will see only permissions from permission groups where they have read-level management access to.
When querying with Management API Client credentials, the client will see permissions only from permissions groups where it is on the “visible to” list.
When querying with an OAuth2 app, the app will see permissions only from permission groups where it is on the “visible to” list.
With management console
Open the Accounts view. Select an user. Select “External permissions” from the Actions menu. A dialog will open showing the user’s external permissions, together with options to revoke or grant more permissions.
With Management API
TODO
With OpenID Connect claims and UserInfo endpoint
TODO