Content
View differences
Updated by Dominic Bräunlein about 1 year ago
WP in openDesk [https://project.opendesk.family/projects/openproject/work\_packages/1178/activity](https://project.opendesk.family/projects/openproject/work_packages/1178/activity) [https://project.opendesk.family/notifications/details/1178/activity](https://project.opendesk.family/notifications/details/1178/activity)
Let's use the description of this work package as editor
\---
# **Gap analysis for openDesk regarding technical identifier in User Life Cycle Management**
<br>
## **Intro**
This gap analysis looks at different places where OpenProject currently interacts with a common identifier provided by Nubus and where it should do so in the future.
Since it was agreed to split the topic of [User Lifecycle Management](https://project.opendesk.family/projects/openproject/work_packages/720) into small parts, this gap analysis is only concerned with the provisioning requirements for the technical identifier. The gap analysis might still refer to some coarse target state aside from the focus of this analysis, to clarify expectations. However actions are only derived when the identified gap is **in scope.**
## Overview
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><thead class="op-uc-table--head"><tr class="op-uc-table--row"><th class="op-uc-table--cell op-uc-table--cell_head" style="width:170px;"><p class="op-uc-p">Area</p></th><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Current State</p></th><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Desired State</p></th><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Identified Gap / Action Required</p></th></tr></thead><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Identifier format</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">OpenProject stores identifier in identity URL and remote identities, both are PG VARCHAR columns without a size limit. Database encoding is Unicode.</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br></p></td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item"><p class=" op-uc-p">no action required</p></li></ul></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Identifying users via common identifier</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">OpenProject identifies users in external IDP based on their identity url which is composed of an identifier for the IDP and the <code class="op-uc-code">sub</code> indicated by ID tokens of the user.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Current state. Expecting to find same identifier as external ID in SCIM provisioning.</p></td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item"><p class=" op-uc-p">no action required as part of this gap analysis (SCIM out of scope)</p></li></ul></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Identifying groups via common identifier</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">OpenProject does not track an immutable, external identifier for generic groups, but synchronizing groups is supported through LDAP using their DN.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">OpenProject tracks groups similar to users, based on an identity url.</p></td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item"><p class=" op-uc-p"><strong>Action:</strong> Groups need to support identity url as well</p></li></ul></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>APIs</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Some OpenProject APIs accept users only as internal IDs (e.g. when filtering workpackages by assignee). An additional API request is needed to determine internal ID of users.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Unclear. Possibly desirable to be able to use common identifier for querying.</p></td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item"><p class=" op-uc-p">Changes are out of scope for this gap analysis</p></li></ul></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>LDAP</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Users are synchronized via LDAP without a common identifier (identity url). Upon SSO login they are remapped onto LDAP-provisioned users via their email address.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Provisioning users via SCIM sets the identity url as well, making user remapping unnecessary.</p></td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item"><p class=" op-uc-p">Changes are out of scope for this gap analysis</p></li></ul></td></tr></tbody></table></figure><br>
## Details
TBD
###
## **Summary**
OpenProject is fit to deal with a generic, stable identifier for users. Groups are not currently identified through a common identifier, which would need to be established.
Let's use the description of this work package as editor
\---
# **Gap analysis for openDesk regarding technical identifier in User Life Cycle Management**
<br>
## **Intro**
This gap analysis looks at different places where OpenProject currently interacts with a common identifier provided by Nubus and where it should do so in the future.
Since it was agreed to split the topic of [User Lifecycle Management](https://project.opendesk.family/projects/openproject/work_packages/720) into small parts, this gap analysis is only concerned with the provisioning requirements for the technical identifier. The gap analysis might still refer to some coarse target state aside from the focus of this analysis, to clarify expectations. However actions are only derived when the identified gap is **in scope.**
## Overview
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><thead class="op-uc-table--head"><tr class="op-uc-table--row"><th class="op-uc-table--cell op-uc-table--cell_head" style="width:170px;"><p class="op-uc-p">Area</p></th><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Current State</p></th><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Desired State</p></th><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Identified Gap / Action Required</p></th></tr></thead><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Identifier format</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">OpenProject stores identifier in identity URL and remote identities, both are PG VARCHAR columns without a size limit. Database encoding is Unicode.</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br></p></td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item"><p class=" op-uc-p">no action required</p></li></ul></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Identifying users via common identifier</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">OpenProject identifies users in external IDP based on their identity url which is composed of an identifier for the IDP and the <code class="op-uc-code">sub</code> indicated by ID tokens of the user.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Current state. Expecting to find same identifier as external ID in SCIM provisioning.</p></td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item"><p class=" op-uc-p">no action required as part of this gap analysis (SCIM out of scope)</p></li></ul></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Identifying groups via common identifier</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">OpenProject does not track an immutable, external identifier for generic groups, but synchronizing groups is supported through LDAP using their DN.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">OpenProject tracks groups similar to users, based on an identity url.</p></td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item"><p class=" op-uc-p"><strong>Action:</strong> Groups need to support identity url as well</p></li></ul></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>APIs</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Some OpenProject APIs accept users only as internal IDs (e.g. when filtering workpackages by assignee). An additional API request is needed to determine internal ID of users.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Unclear. Possibly desirable to be able to use common identifier for querying.</p></td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item"><p class=" op-uc-p">Changes are out of scope for this gap analysis</p></li></ul></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>LDAP</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Users are synchronized via LDAP without a common identifier (identity url). Upon SSO login they are remapped onto LDAP-provisioned users via their email address.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Provisioning users via SCIM sets the identity url as well, making user remapping unnecessary.</p></td><td class="op-uc-table--cell"><ul class="op-uc-list"><li class="op-uc-list--item"><p class=" op-uc-p">Changes are out of scope for this gap analysis</p></li></ul></td></tr></tbody></table></figure><br>
## Details
TBD
###
## **Summary**
OpenProject is fit to deal with a generic, stable identifier for users. Groups are not currently identified through a common identifier, which would need to be established.