Identity manages the following entities for a tenant:
- user
- role
- permissions
- permittable group
- service token (for a future version)
- certain data saved per tenant...
A user consists of the following:
- identifier (unique within the scope of the tenant)
- password hash (+ associated data like variable salt)
- password expiration date
- role
- service tokens (for a future version)
A role consists of the following:
- identifier (unique within the scope of the tenant)
- permissions
A permission consists of the following:
- whether it is for change (POST+PUT), read (GET+HEAD), or delete (DELETE)
- identifier of the permittable group being permitted
A permittable group consists of the following:
- a unique identifier usually provided by the microservice for which the permittable group is defined.
- list of URIs of endpoints included in the group (not including domain and port, but including service name and version)
A designator consists of the following: (for a future version)
- url specifying the meaning of a placeholder in a permission url.
A service token consists of the following: (for a future version)
- name (unique for the user)
- description
- role (the permissions for this role need to be a subset of the permissions for the user's role)
- creation date
- last accessed date
The data saved for the tenant in identity includes:
- public and private key used to sign tokens
- fixed salt used for server-side password hashing
- password for the admin. The admin is saved user in isis. Her permissions could be changed.
- how long a user's password is valid between password changes.
- how long the user's grace period is to change a password after it has expired.
A special note about identifiers: (for example user identifier, role name, and service token name)
- These names are used to reference their respective REST resources and must therefore URL encode to themselves.
The users "seshat" and "guest" cannot be created. They have a special meaning for anubis and are therefore reserved.
The role "disabled" cannot be created or deleted. Assigning this role to a user has the effect of taking away all that users permissions and therefore disabling him.