Open APIs

 View Only
  • 1.  Application permissions to Entities

    TM Forum Member
    Posted Sep 26, 2022 08:06
    Hi All,

    I began looking at the TMF672 user Role and Permission management API as i'd initially thought this might be the correct choice. However i see that in here all of the examples seem to suggest use cases where a particular product has some kind of digital access platform and giving a root user (service/product account holder) access, It then goes on to allow them to manage this by adding addional people to it. I can see how this fits nicely into a use case like a VOD streaming platform where service users wish to create and manage their household profiles.

    I however had a different use case and this is internal to the organisation. The following are true

    • There are multiple COM platforms
    • There is a single SOM platform
    • Orders will be 'owned' by a division of the organisation
    • Entries in the service inventory will be 'owned' by a division of the organisation
    • Multiple platforms will need to access these orders/services (such as product/service management systems, COMs, ticketing, diagnostics systems.

    These kind of permissions are at application level and not at user (customer or employee). So it didnt feel natural to me that the use case documented in API really fitted this use case as the permissions would not be continually managed and new permissions continually be created.

    Even if the feeling is that this API could be be used im not sure if it would be efficient. Its appears like every time an entity (an order or a service) is created then a new permission must be created and assigned. This would mean that.
    • the "user" would be actually a system (i.e. COM1)
    • the granter would be a system (SOM)
    • when the SOM API was called (especially in a 'LIST' operation) it would need to take identity of the caller and then call this 672 API and the payload would be quite lengthy given the number of order references that it might return.
    I'm not sure if ive just picked on the wrong document here or just that this is a use case that hasnt been addressed/seen as needed.

    @Gregoire Laurent I noticed you were the lead on this 672 from another post so perhaps you might be one of the people able to help?

    As always, appreciate any help on this

    thanks

    Dave​

    ------------------------------
    David Whitfield
    TalkTalk Group
    ------------------------------


  • 2.  RE: Application permissions to Entities

    TM Forum Member
    Posted Oct 02, 2022 05:37
    Edited by Jonathan Goldberg Oct 02, 2022 07:57
    Hi David

    You are correct that in the current published scope of TMF672 the focus was mainly on family situations, parental controls, etc.
    Due to this limited scope, we decided to create a complete overhaul of the API, removing some constraints and adding a more flexible model of rights and permissions, basically allowing representation of RBAC and ABAC. In parallel, the corresponding Information Framework (SID) was updated. I'm the lead for this API, and it was done in cooperation with an architect from Verizon (who unfortunately has since moved on career-wise and is no longer involved in TMF activities).
    Unfortunately, the publication of the new API has been delayed due to higher priorities for version 5 publication in other areas of the Open API model.
    I can perhaps share with you the user guide as-is, with a strong warning that details might change as a part of the revised version 5 publication tools and procedures. I don't have a date for when we'll be publishing the "official" beta.

    ------------------------------
    Jonathan Goldberg
    Amdocs Management Limited
    Any opinions and statements made by me on this forum are purely personal, and do not necessarily reflect the position of the TM Forum or my employer.
    ------------------------------



  • 3.  RE: Application permissions to Entities

    TM Forum Member
    Posted Oct 03, 2022 04:36
    Hey @Jonathan Goldberg,

    Thanks for the reply, hope you are well!

    Yes i think that seeing a draft of the user guide would be quite helpful to really see whether the current envisioned changes do help it fit closer to our use case. Could you send that to me?

    I think im really looking for a solution 'now' so its likely that you document could well help me get to a soution however i dont think i would be able to wait for V5.​

    I think my main concern was over the inference in the API examples that a permission was created for each entity (in my case service order) that is created. This seemed quite heavy weight when i apply this to the scenario of a listing of service order resources by a client of the SOM platform. The call to the user roles and permissions api in this sceanrio would yield quite a heafty payload of permissions should there be one per order?

    I was considering using the related party of the order as a mechanism to store the ownership of the resources, I wondered if you had any thoughts on this and whether it seemed like an appropriate solution 'for now'.

    ------------------------------
    David Whitfield
    TalkTalk Group
    ------------------------------