You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Users can be added to Dega Application from Kavach
If the user added is an owner in kavach, the added user automatically has admin access in Dega, meaning they have access to all the spaces to perform any action including creating new policies and adding other users.
If the user added is a member in kavach, the added user doesn't have any policy initially. They will be able to access the application, but will not be able to perform any action requiring access defined through policies.
The second point above creates a Dega dependency in Kavach that when we change a user role from owner to member in Kavach, we have to change the user policies in Dega. This should not be the case.
Here is what I propose for changes in Dega:
Create a policy called admin by default that cannot be changed in terms of its access rules when creating a space. That way we can assign users to admin policy who have the access to make any modifications at a space level.
A new space in an organization should only be created by users in Kavach with owner access. I believe this is the case already.
When a new space is created, the user creating the space should be assigned as admin policy by default.
The workflow when creating a new space should be modified to have the ability to add both admins and members with other default policies
If we follow the above process, changing the user role from owner to member and vice-versa is not going to impact the access policies in Dega. Because the user access at the application level purely depends on the access roles as we would be eliminating the assumption of owner in kavach should be admin in Dega.
We also need to confirm, that when a user is removed in Kavach, they are removed from Dega as well from within the policies. Currently, Oathkeeper will restrict the user from accessing the application but I am not sure if we are removing the users from the dega policies itself. Meaning, the user might still show up in the policies in Dega studio.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The current implementation is as follows:
owner
in kavach, the added user automatically hasadmin
access in Dega, meaning they have access to all thespaces
to perform any action including creating new policies and adding other users.member
in kavach, the added user doesn't have any policy initially. They will be able to access the application, but will not be able to perform any action requiring access defined through policies.The second point above creates a Dega dependency in Kavach that when we change a user role from
owner
tomember
in Kavach, we have to change the user policies in Dega. This should not be the case.Here is what I propose for changes in Dega:
admin
by default that cannot be changed in terms of its access rules when creating a space. That way we can assign users toadmin
policy who have the access to make any modifications at a space level.owner
access. I believe this is the case already.admin
policy by default.admins
andmembers
with other default policiesIf we follow the above process, changing the user role from
owner
tomember
and vice-versa is not going to impact the access policies in Dega. Because the user access at the application level purely depends on the access roles as we would be eliminating the assumption ofowner
in kavach should beadmin
in Dega.We also need to confirm, that when a user is removed in Kavach, they are removed from Dega as well from within the policies. Currently, Oathkeeper will restrict the user from accessing the application but I am not sure if we are removing the users from the dega policies itself. Meaning, the user might still show up in the policies in Dega studio.
Beta Was this translation helpful? Give feedback.
All reactions