Menu
▾
▴
Re: [Unity-idm-discuss] Naming of groups created via upman
|
From: Krzysztof B. <kb...@un...> - 2020-08-01 22:05:40
|
Dear Sander,
W dniu 31.07.2020 o 07:49, Sander Apweiler pisze:
> Dear Krzysztof,
>
> We encountered a problem with the names of groups, which was created by
> groupadministrators in upman endpoint. The name of the group which is
> released in groups attribute differs from the name which entered the
> user. It seems that unity creates a name randomly and the entered name
> is only used as display name.
>
> I agree that the group administrators should only enter one name and
> not two like the unity administrators can do. But the information is
> used for group based access management on service provider level. If
> the groupname differs from the name which was entered by the group
> administrators, this is not possible.
>
> What is the reason for the randomly generated grounames? Can this
> behaviour changed?
The group "internal" name, or its identifier, is set in stone. On the
other hand the displayed name can be changed at will.
If admin can define the internal name, then it will have a semantic name
typically. And this leads to troubles ("err I named it /cookies, but
should be /chockolate-bars really"). Also group names when used
externally should not relay on displayed name but on some stable id -
what is the internal name.
BTW in the full unity this should be the same, and is not only because
of the legacy of in-file configurations, where software can not assign
ids on its own.
All in all I would advise to simply use the identifiers externally,
especially in policies. If this is hard let me know why precisely;
chances are I'll be able to help as we use this approach in many
non-upman scenarios too. Or if not, we can think about an improvement then.
Best
Krzysztof
|
