Content
View differences
Updated by Dominic Bräunlein about 1 year ago
# User Problem
## User
* Administrators managing user synchronization between **As** an administrator
**I want** OpenProject and their identity provider (IdP).
## Problem
* Administrators need to keep OpenProject user data in sync with their IdP. Currently, they lack be able to act as a standardized, automated way to handle user provisioning SCIM server,
**so that** my centrally managed users and de-provisioning.
## Pain
* Manual user management processes groups are time-consuming and error-prone.
* Lack of automation increases the risk of outdated or incorrect user data.
* No current support for SCIM-standard synchronization leads also provisioned to additional integration complexities.
# Business Case OpenProject.
## Reach
* Medium: Affects enterprise customers using corporate IdPs needing automated user synchronization
## Impact
* High: Streamlines user management, reduces manual workload, and ensures accurate user data.
## Confidence
* Medium: Technical risks include ensuring API security and correct We want OpenProject to support the SCIM protocol implementation. Using an existing Ruby gem can mitigate some risks.
## Urgency and Priority
* Medium: The feature is planned for Enterprise Corporate plans management of users and part of a larger goal groups, to achieve a seamless cross application experience allow for users.
## Solution
* CRUD API endpoints implemented according to SCIM specification
* Actions executed via a designated system-level user (SCIM system user) or clarified alternative
* Only available for Enterprise (Corporate) plan customers
* Administrators can create, manage, central provisoning of users and delete "system-level" Bearer tokens specifically for authenticating SCIM API requests
* System-level tokens restricted by scope, initially limited groups. In contrast to synchronizing users through LDAP, where OpenProject has to pull information periodically, SCIM API access
* Token creation accessible via Admin Authentication settings
## Out of Scope for inverts the MVC
* Additional token scopes beyond SCIM API
* Custom attribute synchronization from IdP to OpenProject (to be clarified)
* Expiring tokens (to be clarified)
##
# Launch and Growth
## Measures
* Number of Enterprise customers adopting the SCIM API.
* Feedback on API ease of use and integration.
## Messaging
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><tbody><tr class="op-uc-table--row"><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Headline</p></th><td class="op-uc-table--cell"><p class="op-uc-p">Simplify User Management with SCIM API Integration control flow, allowing for OpenProject</p></td></tr><tr class="op-uc-table--row"><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">First Paragraph</p></th><td class="op-uc-table--cell"><p class="op-uc-p">OpenProject now supports automated a push-based user synchronization via SCIM API, enabling seamless integration with your identity provider. Simplify and secure user provisioning and de-provisioning while ensuring accurate user data across systems.</p></td></tr><tr class="op-uc-table--row"><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Customer Quote</p></th><td class="op-uc-table--cell"><p class="op-uc-p"><br></p></td></tr></tbody></table></figure>
## Go to market
* Inform partners and clients directly
* Promote the feature in newsletter and blog post in product update blogs and webinars.
* Highlight in the Enterprise plan feature list.
<br>
<br>
_**Open Questions:**_
_Should it be possible to deactivate the SCIM API?_
_Should a dedicated "SCIM User" be used?_
_What scopes will we have for the system-level baerer token?_
_Do system-level bearer tokens also need Enterprise Corporate plan activated?_
Do we need token expiration management?
De we want custom attribute synchronization from IdP to OpenProject? thus should make newly created users immediately available.
## User
* Administrators managing user synchronization between
**I want**
## Problem
* Administrators need to keep OpenProject user data in sync with their IdP. Currently, they lack
**so that** my centrally managed users
## Pain
* Manual user management processes
* Lack of automation increases the risk of outdated or incorrect user data.
* No current support for SCIM-standard synchronization leads
# Business Case
## Reach
* Medium: Affects enterprise customers using corporate IdPs needing automated user synchronization
## Impact
* High: Streamlines user management, reduces manual workload, and ensures accurate user data.
## Confidence
* Medium: Technical risks include ensuring API security and correct
## Urgency and Priority
* Medium: The feature is planned for Enterprise Corporate plans
## Solution
* CRUD API endpoints implemented according to SCIM specification
* Actions executed via a designated system-level user (SCIM system user) or clarified alternative
* Only available for Enterprise (Corporate) plan customers
* Administrators can create, manage,
* System-level tokens restricted by scope, initially limited
* Token creation accessible via Admin Authentication settings
## Out of Scope for
* Additional token scopes beyond SCIM API
* Custom attribute synchronization from IdP to OpenProject (to be clarified)
* Expiring tokens (to be clarified)
##
# Launch and Growth
## Measures
* Number of Enterprise customers adopting the SCIM API.
* Feedback on API ease of use and integration.
## Messaging
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><tbody><tr class="op-uc-table--row"><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Headline</p></th><td class="op-uc-table--cell"><p class="op-uc-p">Simplify User Management with SCIM API Integration
## Go to market
* Inform partners and clients directly
* Promote the feature in newsletter and blog post in product update blogs and webinars.
* Highlight in the Enterprise plan feature list.
<br>
<br>
_**Open Questions:**_
_Should it be possible to deactivate the SCIM API?_
_Should a dedicated "SCIM User" be used?_
_What scopes will we have for the system-level baerer token?_
_Do system-level bearer tokens also need Enterprise Corporate plan activated?_
Do we need token expiration management?
De we want custom attribute synchronization from IdP to OpenProject?