Policies / autorisatieregels

[oharsta]

Checklist for the implementation of PdP policies in Access. The strikethrough lines indicate what is currently in Dashboard / Manage, but what we don't want anymore:

• Only fetch Policies just-in-time when the institution admin visits the detail page of an application which is connected to the IdP (e.g. allowedEntries in Manage) with a custom MongoDB query
• The institution admin has full-acces to all policies where the policy IdP is his / hers IdP and the SP is connected to the SP / RP
• Use the regular / generic MetaData API and not the specific PdP API in Manage (which is currently used in Dashboard
• Implement the constraints for a user and policies in Access
• The Identity Provider of a new Policy is always the Identity Provider of the User (if there are multiple IdP's with the same organization_guid then the one is picked, which was used to login.
• Add syntax check on for policy attribute values. See Add syntax check on for policy attribute values OpenConext-manage#478
• Do we want the option to auto-generate the description?
• Although the institution admin has full access, if the user who created the Policy is not the current user, then update or delete is not allowed
• The Policy is always read-only when created in Manage

Do we want to allow for a Policy without an IdP, if the institution_guid of the application equals the institution_guid of the IdP of the institution admin ? Maybe first investigate if there are many policies without IdP's?

Update Okke: currently there are no policies without IdP in production.