-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow an Admin API key for a 'parent' group to create new groups. #7724
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm w/ 2 minor nits
The new groups will inherit the SAML IDP Metadata URL of the original group.
b13d4fe
to
b361eb6
Compare
// For groups created using an API Key allow the SAML IDP Metadata URL | ||
// to be inherited if the API Key group is marked as a 'parent' group. | ||
// This allows the new group to be managed using a parent group API key. | ||
if u.HasCapability(akpb.ApiKey_ORG_ADMIN_CAPABILITY) && u.GetUserID() == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: the UserID == ""
check doesn't seem necessary here? (it might make sense to eventually support ORG_ADMIN for personal API keys)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This API is also by the web frontend where u.GetUserID() != "" and I don't want this behavior to occur if someone creates a group via the UI. Once the customer is done testing, the plan is to promote the relevant APIs to the public API where we wouldn't need to do this check anymore.
The new groups will inherit the SAML IDP Metadata URL of the original group.
Related issues: N/A