Loading...

XML

Word

Printable

Type: Sub-task
Resolution: Won't Do
Priority: Major
Fix Version/s: ConsoleDot CY24Q2
Affects Version/s: None
Component/s: RBAC
Labels:
- ciam-authz-assets
- ciam-authz-rebac

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Acceptance Criteria:
- Expectation is that there is documentation saying whether or not we take this approach or the current audit logging approach
BZ requires_doc_text:
Unset
Feature Link:
CRCPLAN-233 - AuthZ | PRBAC v2 Customer Migration to Workspaces
BZ Keywords:
- Unset
Intelligence Requested:
Market:

Sprint:
Platform A&M Sprint 71, Platform A&M Sprint 72, Platform A&M Sprint 73, Platform A&M Sprint 74, Platform A&M Sprint 75, Access & Management Sprint 76, Access & Management Sprint 77, Access & Management Sprint 78, Access & Management Sprint 79, Access & Management Sprint 80, Access & Management Sprint 81, Access & Management Sprint 82, Access & Management Sprint 83, Access & Management Sprint 84, Access & Management Sprint 85, Access & Management Sprint 86, Access & Management Sprint 87, Access & Management Sprint 88, Access & Management Sprint 89, Access & Management Sprint 90, Access & Management Sprint 91, Access & Management Sprint 92, Access & Management Sprint 93, Access & Management Sprint 94, A&M Tech Debt Q10, Access & Management Sprint 95, Access & Management Sprint 95, Access & Management Sprint 96, Access & Management Sprint 97, Access & Management Sprint 98, Access & Management Sprint 99, Access & Management Sprint 100

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Discussion with the team on whether we should use the PDP as a source for these audits? What about metadata?

Implement RBAC's own access controls within SpiceDB with the relations API, then
Use the PDP as an audit logger (anything integrated with PDP would get audit logger for free)
Impact: Adjustment to API to be an actual replacement - not just checks, but successful actions (add, binding, etc.)

<From previous discussion>
- Possibility (pending spike): PDP endpoint as "audit logger" has been discussed, simple use case would be:

1) For UI enable to some options it will use PDP endpoint: "can user X create a clusteR" - this will result in UI enabling the "create cluster" button (probably no audit logging)

2) the action of user creating the cluster – clicks the button --OCM – PDP – allows cluster creation (requires audit logging)

Suggestion might be to start with a simple bool "auditlog" defaulting to "false" to start with in the request for PDP check

Output should include an ADR-type document for the decision the team is making.

Assignee:: Unassigned

Reporter:: Ryan Abbott

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/04/15 2:20 PM

Updated:: 2024/06/21 2:12 PM

Resolved:: 2024/06/21 2:12 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates