On 15/04/2019 13:31, ripedenis--- via db-wg wrote:

I have recently encountered issues in this area as well.  I would like to see the standard "non-billing" users to not only be allowed for the main resources but also for all sub-groups that appear under the LIR.  Currently, a user added as a regular LIR user does not have access to all RIPE NCC services:

Currently in the LIR there are 3 level of users:
- Admin - The Administrator will have full access to RIPE NCC services plus the right to manage other LIR contacts
o Regular - The Operator will have full access to RIPE NCC services
o Billing - The Billing user will have access to RIPE NCC billing information only

Only by adding that user as SSO under the mnt-ner will the user have access to all LIR sub-groups.

Also, now that RPKI is picking up steam, I would like to see an additional level of user known as RPKI - which means the user can have access to all RIPE NCC RPKI services, including creating ROAs and anything else related to RPKI.

Regards,
Hank
Colleagues

I think we have now agreed on these problem and solution definitions:

Problem Definition

LIRs would like a mechanism to easily add/remove users to centralised SSO authentication groups for maintaining objects in the RIPE Database.


Solution Definition

Stage 1

-Non billing Users listed in an LIR´s portal account will be contained in a default authentication group

-Non billing users added or removed through the portal UI will be automatically adjusted in this group

-This authentication group can be referenced in MNTNER objects by a new authentication method

-These authentication groups for LIRs will be stored in a way that updates to the RIPE Database is not dependent on the availability of the portal service


Stage 2

-Non billing Users listed in an LIR´s portal account can be added to and removed from user defined SSO authentication groups

-Each User can be a member of any number of named groups

-The authentication groups can be configured using the portal UI

-These groups can be referenced in MNTNER objects by the new authentication method


The chairs will now ask the RIPE NCC to work from these definitions in preparing their implementation plan.

cheers
denis

co-chair DB-WG