Content

Updated by Jan Sandbrink 4 days ago

WP in openDesk [https://project.opendesk.family/notifications/details/1178/activity](https://project.opendesk.family/notifications/details/1178/activity)

Let's use the description of this work package as editor

\---

# **Gap analysis for openDesk regarding Begin of the insertiontechnical identifier inEnd of the insertion User Life Cycle Management**

 

## **Intro**

Begin of the insertionThis gap analysis looks at different places where OpenProject currently interacts with a common identifier provided by Nubus and where it should do so in the future.End of the insertion Begin of the deletion ~~...~~End of the deletion

Begin of the insertionSince it was agreed to split the topic of [User Lifecycle Management](https://project.opendesk.family/projects/openproject/work_packages/720) into small parts, this gap analysis is only concerned with the provisioning requirements for the technical identifier. The gap analysis might still refer to some coarse target state aside from the focus of this analysis, to clarify expectations. However actions are only derived when the identified gap is **in scope.**End of the insertion Begin of the deletion ~~ ~~End of the deletion

## Overview

Begin of the deletion ~~Short explanation~~

End of the deletion <figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><thead class="op-uc-table--head"><tr class="op-uc-table--row"><th class="op-uc-table--cell op-uc-table--cell_head" style="width:170px;">Area</th><th class="op-uc-table--cell op-uc-table--cell_head">Current State</th><th class="op-uc-table--cell op-uc-table--cell_head">Desired State</th><th class="op-uc-table--cell op-uc-table--cell_head">Identified Gap / Action Required</th></tr></thead><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell">Identifier format</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p">UUID Handling</td><td~~End of the deletion class="op-uc-table--cell">OpenProject Begin of the insertionstores identifier in identity URL andEnd of the insertion Begin of the deletion ~~user identification,~~End of the deletion remote Begin of the insertionidentities, both are PG VARCHAR columns without a size limit. Database encoding is Unicode.</td><tdEnd of the insertion Begin of the deletion ~~identities</td><td~~End of the deletion class="op-uc-table--cell"> </td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item">no action required</li></ul></td></tr><trEnd of the insertion Begin of the deletion ~~op-uc-p">Save UUID in existing remote identity attribute</li></ul></td></tr><tr~~End of the deletion class="op-uc-table--row"><td class="op-uc-table--cell">Identifying users via common identifier</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p">Groups</td><td~~End of the deletion class="op-uc-table--cell">OpenProject identifies users in external IDP based on their identity url which is composed of an identifier for the IDP and the <code class="op-uc-code">sub</code> indicated by ID tokens of the user.</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p"> </td><td~~End of the deletion class="op-uc-table--cell">Current state. Expecting to find same identifier as external ID in SCIM provisioning.</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p"> </td><td~~End of the deletion class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item">no action required as part of this gap analysis (SCIM out of scope)</li></ul></td></tr><trEnd of the insertion Begin of the deletion ~~op-uc-p">Add remote identities to groups</li></ul></td></tr><tr~~End of the deletion class="op-uc-table--row"><td class="op-uc-table--cell">Identifying groups via common identifier</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p">Lifecycle Management</td><td~~End of the deletion class="op-uc-table--cell">OpenProject does not track an immutable, external identifier for generic groups, but synchronizing groupsEnd of the insertion Begin of the deletion ~~class="op-uc-p">&nbsp;lifecycle stages (creation, suspension, deletion) e.g. user deletion~~End of the deletion is Begin of the insertionsupported through LDAP using their DN.</td><tdEnd of the insertion Begin of the deletion ~~first a deactivation with async deletion</td><td~~End of the deletion class="op-uc-table--cell">OpenProject tracks groups similar to users, based on an identity url.</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p"> </td><td~~End of the deletion class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item">Action: Groups need to support identity url as well</li></ul></td></tr><trEnd of the insertion Begin of the deletion ~~op-uc-p">maybe that needs changes</li></ul></td></tr><tr~~End of the deletion class="op-uc-table--row"><td class="op-uc-table--cell">APIs</td><td class="op-uc-table--cell">Some OpenProject APIs accept users only as internal IDs (e.g. when filtering workpackages by assignee). An additional API request is needed to determine internal ID of users.</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p"> </td><td~~End of the deletion class="op-uc-table--cell">Unclear. Possibly desirable to be able to use common identifier for querying.</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p"> </td><td~~End of the deletion class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item">Changes are out of scope for this gap analysis</li></ul></td></tr><trEnd of the insertion Begin of the deletion ~~op-uc-p">API endpoints that &nbsp;are missing or need changes</li></ul></td></tr><tr~~End of the deletion class="op-uc-table--row"><td class="op-uc-table--cell">LDAP</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p">Logging</td><td~~End of the deletion class="op-uc-table--cell">Users are synchronized via LDAP without a common identifier (identity url). Upon SSO login they are remapped onto LDAP-provisioned users via their email address.</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p"> </td><td~~End of the deletion class="op-uc-table--cell">Provisioning users via SCIM sets the identity url as well, making user remapping unnecessary.</td><tdEnd of the insertion Begin of the deletion ~~class="op-uc-p"> </td><td~~End of the deletion class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item">Changes are out of scope for this gap analysis</li></ul></td></tr></tbody></table></figure> End of the insertion Begin of the deletion ~~op-uc-p">Full logging strategy with User context helpers or frameworks used</li></ul></td></tr></tbody></table></figure>~~End of the deletion

Begin of the deletion ~~ ~~

End of the deletion ## Details

Begin of the insertionTBDEnd of the insertion Begin of the deletion ### **Current State**End of the deletion

Begin of the deletion 1. UUID Handling

2. Groups

3. ...

End of the deletion ### Begin of the insertion

End of the insertion Begin of the deletion **Desired state**

1. UUID Handling

2. Groups

3. ...

### **Gap**

1. UUID Handling

2. Groups

3. ...

End of the deletion ## **Summary**

Begin of the insertionOpenProject is fit to deal with a generic, stable identifier for users. Groups are not currently identified through a common identifier, which would need to be established.End of the insertion Begin of the deletion ~~Difficulties, Uncertainties, Blockers, open questions, how we feel about it (Estimated of PDs needed?)~~End of the deletion

Back

Top Menu

Side Menu

Content