Gravatar for dredman@higherlogic.com

Question by Dan Redman, Feb 8, 2019 7:58 PM

Clarification on granted identity updates

I want to make sure I understand granted identities within the context of a Push Source security identity provider.

  1. I'm unclear on whether there is a difference and what the difference is when defining the wellKnowns property within an IdentityBody vs. MappedIdentityBody.
  2. I'm assuming that omitting a previously defined wellKnown in an updated identity definition is the same as removing that identity from the wellKnown group, correct?

IOW, if at time t1, I define an identity similar to the example listed on Adding or Updating a Single Security Identity that contains a granted identity:

{
  "identity": {
    "name": "SampleGroup",
    "type": "GROUP"
  },
  "members": [
    {
      "name": "asmith@example.com",
      "type": "USER"
    },
    {
      "name": "SampleVirtualGroup",
      "type": "VIRTUALGROUP"
    }
  ],
  "wellKnowns": [
    {
      "name": "Domain Users",
      "type": "GROUP"
    }]
}

then at time t2, I update that identity to omit the granted identity, that the identity is then no longer associated to that granted identity once the security cache is refreshed, correct?

{
  "identity": {
    "name": "SampleGroup",
    "type": "GROUP"
  },
  "members": [
    {
      "name": "asmith@example.com",
      "type": "USER"
    },
    {
      "name": "SampleVirtualGroup",
      "type": "VIRTUALGROUP"
    }
  ],
  "wellKnowns": []
}

That is to say that the principle of omitting an item from a previously defined identity is the means by which to remove that association, just as if I were to omit one of the members of the group from the group identity at time t2, correct?

Thanks in advance!

1 Reply
Gravatar for aemery@coveo.com

Answer by aemery, Feb 10, 2019 2:19 PM

Hi Dan,

1. There's no difference between setting the well-known when pushing the identity itself or its mappings. Simply be aware that if you push the identity with a well-known and then push the mapping without the well-known, that identity will be removed from the well-known group. Simply put, you should always specify the well-knowns in both calls.

2. Correct, repushing an identity and removing the well-known will effectively remove that identity from the well-known group. In general, that is true for every PUT calls in the Push API, it overrides the previous document or identity.

Alex

Ask a question