Open APIs

 View Only
  • 1.  Application permissions to Entities

    TM Forum Member
    Posted Sep 26, 2022 08:06
    Hi All,

    I began looking at the TMF672 user Role and Permission management API as i'd initially thought this might be the correct choice. However i see that in here all of the examples seem to suggest use cases where a particular product has some kind of digital access platform and giving a root user (service/product account holder) access, It then goes on to allow them to manage this by adding addional people to it. I can see how this fits nicely into a use case like a VOD streaming platform where service users wish to create and manage their household profiles.

    I however had a different use case and this is internal to the organisation. The following are true

    • There are multiple COM platforms
    • There is a single SOM platform
    • Orders will be 'owned' by a division of the organisation
    • Entries in the service inventory will be 'owned' by a division of the organisation
    • Multiple platforms will need to access these orders/services (such as product/service management systems, COMs, ticketing, diagnostics systems.

    These kind of permissions are at application level and not at user (customer or employee). So it didnt feel natural to me that the use case documented in API really fitted this use case as the permissions would not be continually managed and new permissions continually be created.

    Even if the feeling is that this API could be be used im not sure if it would be efficient. Its appears like every time an entity (an order or a service) is created then a new permission must be created and assigned. This would mean that.
    • the "user" would be actually a system (i.e. COM1)
    • the granter would be a system (SOM)
    • when the SOM API was called (especially in a 'LIST' operation) it would need to take identity of the caller and then call this 672 API and the payload would be quite lengthy given the number of order references that it might return.
    I'm not sure if ive just picked on the wrong document here or just that this is a use case that hasnt been addressed/seen as needed.

    @Gregoire Laurent I noticed you were the lead on this 672 from another post so perhaps you might be one of the people able to help?

    As always, appreciate any help on this

    thanks

    Dave​

    ------------------------------
    David Whitfield
    TalkTalk Group
    ------------------------------


  • 2.  RE: Application permissions to Entities

    TM Forum Member
    Posted Oct 02, 2022 05:37
    Edited by Jonathan Goldberg Oct 02, 2022 07:57
    Hi David

    You are correct that in the current published scope of TMF672 the focus was mainly on family situations, parental controls, etc.
    Due to this limited scope, we decided to create a complete overhaul of the API, removing some constraints and adding a more flexible model of rights and permissions, basically allowing representation of RBAC and ABAC. In parallel, the corresponding Information Framework (SID) was updated. I'm the lead for this API, and it was done in cooperation with an architect from Verizon (who unfortunately has since moved on career-wise and is no longer involved in TMF activities).
    Unfortunately, the publication of the new API has been delayed due to higher priorities for version 5 publication in other areas of the Open API model.
    I can perhaps share with you the user guide as-is, with a strong warning that details might change as a part of the revised version 5 publication tools and procedures. I don't have a date for when we'll be publishing the "official" beta.

    ------------------------------
    Jonathan Goldberg
    Amdocs Management Limited
    Any opinions and statements made by me on this forum are purely personal, and do not necessarily reflect the position of the TM Forum or my employer.
    ------------------------------



  • 3.  RE: Application permissions to Entities

    TM Forum Member
    Posted Oct 03, 2022 04:36
    Hey @Jonathan Goldberg,

    Thanks for the reply, hope you are well!

    Yes i think that seeing a draft of the user guide would be quite helpful to really see whether the current envisioned changes do help it fit closer to our use case. Could you send that to me?

    I think im really looking for a solution 'now' so its likely that you document could well help me get to a soution however i dont think i would be able to wait for V5.​

    I think my main concern was over the inference in the API examples that a permission was created for each entity (in my case service order) that is created. This seemed quite heavy weight when i apply this to the scenario of a listing of service order resources by a client of the SOM platform. The call to the user roles and permissions api in this sceanrio would yield quite a heafty payload of permissions should there be one per order?

    I was considering using the related party of the order as a mechanism to store the ownership of the resources, I wondered if you had any thoughts on this and whether it seemed like an appropriate solution 'for now'.

    ------------------------------
    David Whitfield
    TalkTalk Group
    ------------------------------



  • 4.  RE: Application permissions to Entities

    Posted Jan 19, 2023 14:01
    Hi, Jonathan!
    I've also been looking into TMF672 user Role and Permission management API for my task at hand, which is about managing user access to our new platform, and from the details you provided, the new API, which would cover RBAC and ABAC, is just what I actually need. Glad I found this discussion here :)

    Do you maybe have a date when you plan to publish the beta?

    ------------------------------
    Ekaterina Ovchinnikova
    TO BE VERIFIED
    ------------------------------



  • 5.  RE: Application permissions to Entities

    TM Forum Member
    Posted Jan 22, 2023 02:31
    Hi Ekaterina
    The v5 assets for the TMF672 API have been generated (swagger and user guide), but waiting for some global enhancements in our toolset and also for the internal team approval process. It's likely to be some time in the next several weeks but I cannot commit to an exact date.

    ------------------------------
    Jonathan Goldberg
    Amdocs Management Limited
    Any opinions and statements made by me on this forum are purely personal, and do not necessarily reflect the position of the TM Forum or my employer.
    ------------------------------



  • 6.  RE: Application permissions to Entities

    Posted Jan 23, 2023 08:29
    Hi, Jonathan!
    Thank you for the good news, will be looking forward to the publication.

    ------------------------------
    Ekaterina Ovchinnikova
    TO BE VERIFIED
    ------------------------------



  • 7.  RE: Application permissions to Entities

    Posted Mar 01, 2023 01:42

    Hi Jonathan

    Is there any update on TMF672 User Roles and Permissions v5.0.0?  I was also wondering why the permissions occur against a party (individual) instead of a party role (employee, sales rep, customer, etc) ?  Wouldn't the granter and user depend on the role that the party is playing within the system?

    Thanks!



    ------------------------------
    Dan d'Albuquerque
    TO BE VERIFIED
    ------------------------------



  • 8.  RE: Application permissions to Entities

    TM Forum Member
    Posted Mar 01, 2023 07:35

    Hi Dan

    In the current API version (v4), the concept of permission is very much tied to Party, and this is one of the motivating factors for the complete overhaul that we've done in v5. We're on the last lap (I think), so please be patient.

    We have retained this capability to reflect ad-hoc permission assignments, such as the use cases mentioned in the user guide (parental control). But we have added the concept of a permission specification set, which is closely tied to the corresponding party role specification, exactly answering your concern.



    ------------------------------
    Jonathan Goldberg
    Amdocs Management Limited
    Any opinions and statements made by me on this forum are purely personal, and do not necessarily reflect the position of the TM Forum or my employer.
    ------------------------------



  • 9.  RE: Application permissions to Entities

    TM Forum Member
    Posted Jan 24, 2023 04:19
    In the ODA Security and Privacy team We are looking at security For ODA components and its clear we need to support both OAUTH 2 Authorization code flows intended more for users and Client credential flow which is more applicable to system so systems communication where systems / application are trusted to hold credentials. S

    Suspect this will inform API evolution but you probably need something tactical. We have some draft thinking on Identity management captured in:
    TMF-SF001: Security: IAM: ODAC SF Stage 1 and 2 Specifications: - Technical architecture and components - TM Forum Confluence

      and this will be a topic of conversation at Accelerate in Cascais  on the Tuesday ODA  afternoon sessions along with Federated Identity management requirements.

    ------------------------------
    Dave Milham
    TM Forum, Chief Architect
    ------------------------------